lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 11 Oct 2023 21:26:12 +0800
From:   Tina Zhang <tina.zhang@...el.com>
To:     Jason Gunthorpe <jgg@...dia.com>,
        Nicolin Chen <nicolinc@...dia.com>
CC:     Kevin Tian <kevin.tian@...el.com>,
        Lu Baolu <baolu.lu@...ux.intel.com>, <iommu@...ts.linux.dev>,
        <linux-kernel@...r.kernel.org>, Vasant Hegde <vasant.hegde@....com>
Subject: Re: [v6 PATCH 4/5] iommu: Support mm PASID 1:n with sva domains



On 10/11/23 20:39, Jason Gunthorpe wrote:
> On Wed, Oct 11, 2023 at 02:51:31PM +0800, Tina Zhang wrote:
> 
>> diff --git a/kernel/fork.c b/kernel/fork.c
>> index 3b6d20dfb9a8..985403a7a747 100644
>> --- a/kernel/fork.c
>> +++ b/kernel/fork.c
>> @@ -1277,7 +1277,6 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
>>   	mm_init_cpumask(mm);
>>   	mm_init_aio(mm);
>>   	mm_init_owner(mm, p);
>> -	mm_pasid_init(mm);
>>   	RCU_INIT_POINTER(mm->exe_file, NULL);
>>   	mmu_notifier_subscriptions_init(mm);
>>   	init_tlb_flush_pending(mm);
> 
> Nicolin debugged his crash report last night and sent me the details.
> 
> This hunk is the cause of the bug that Nicolin reported.
> 
> The dup_mm() flow does:
> 
> static struct mm_struct *dup_mm(struct task_struct *tsk,
> 				struct mm_struct *oldmm)
> {
> 	struct mm_struct *mm;
> 	int err;
> 
> 	mm = allocate_mm();
> 	if (!mm)
> 		goto fail_nomem;
> 
> 	memcpy(mm, oldmm, sizeof(*mm));
> 
> 	if (!mm_init(mm, tsk, mm->user_ns))
> 		goto fail_nomem;
> 
> It is essential that mm_pasid_init() zero the new pointer otherwise,
> due to the memcpy, after a fork two mm structs will point to the same
> thing and one will UAF/doube free.
Good catch.

Thanks,
-Tina
> 
> Keep mm_pasid_init() and add zeroing the new pointer to it.
> 
> Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ