| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240723174540.18992614c476d77e7d9fb1e6@linux-foundation.org>
Date: Tue, 23 Jul 2024 17:45:40 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Muchun Song <songmuchun@...edance.com>
Cc: hannes@...xchg.org, muchun.song@...ux.dev, nphamcs@...il.com,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm: list_lru: fix UAF for memory cgroup
On Thu, 18 Jul 2024 16:36:07 +0800 Muchun Song <songmuchun@...edance.com> wrote:
> The mem_cgroup_from_slab_obj() is supposed to be called under rcu
> lock or cgroup_mutex or others which could prevent returned memcg
> from being freed. Fix it by adding missing rcu read lock.
"or others" is rather vague. What others?
> @@ -109,14 +110,20 @@ EXPORT_SYMBOL_GPL(list_lru_add);
>
> bool list_lru_add_obj(struct list_lru *lru, struct list_head *item)
> {
> + bool ret;
> int nid = page_to_nid(virt_to_page(item));
> - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ?
> - mem_cgroup_from_slab_obj(item) : NULL;
> + struct mem_cgroup *memcg;
>
> - return list_lru_add(lru, item, nid, memcg);
> + rcu_read_lock();
> + memcg = list_lru_memcg_aware(lru) ? mem_cgroup_from_slab_obj(item) : NULL;
> + ret = list_lru_add(lru, item, nid, memcg);
> + rcu_read_unlock();
We don't need rcu_read_lock() to evaluate NULL.
memcg = NULL;
if (list_lru_memcg_aware(lru)) {
rcu_read_lock();
memcg = mem_cgroup_from_slab_obj(item);
rcu_read_unlock();
}
Seems worthwhile?
Powered by blists - more mailing lists