| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <x4zctv3fdymenonaao2vwsy6ldab6d6pfappdzepfcax6ycc4n@nx46w3lncvqr>
Date: Fri, 4 Oct 2024 15:43:12 +0530
From: Manas <manas18244@...td.ac.in>
To: Peter Xu <peterx@...hat.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Shuah Khan <skhan@...uxfoundation.org>, Anup Sharma <anupnewsmail@...il.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, syzbot+093d096417e7038a689b@...kaller.appspotmail.com
Subject: Re: [PATCH] Fixes: null pointer dereference in pfnmap_lockdep_assert
Hi Peter, thanks for reviewing.
On 03.10.2024 12:41, Peter Xu wrote:
>On Thu, Oct 03, 2024 at 09:31:06PM +0530, Manas via B4 Relay wrote:
>> From: Manas <manas18244@...td.ac.in>
>>
>> syzbot has pointed to a possible null pointer dereference in
>> pfnmap_lockdep_assert. vm_file member of vm_area_struct is being
>> dereferenced without any checks.
>>
>> This fix returns if vm_file member in vm_area_struct is NULL.
>>
>> Reported-by: syzbot+093d096417e7038a689b@...kaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b
>> ---
>> This bug[1] triggers a general protection fault in follow_pfnmap_start
>> function. An assertion pfnmap_lockdep_assert inside this function
>> dereferences vm_file member of vm_area_struct. And panic gets triggered
>> when vm_file is NULL.
>>
>> This patch returns from the assertion pfnmap_lockdep_assert if vm_file
>> is found to be NULL.
>>
>> [1] https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b
>>
>> Signed-off-by: Manas <manas18244@...td.ac.in>
>
>Thanks for the patch!
>
>> ---
>> mm/memory.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index 2366578015ad..b152a95e543f 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -6346,6 +6346,9 @@ static inline void pfnmap_args_setup(struct follow_pfnmap_args *args,
>> static inline void pfnmap_lockdep_assert(struct vm_area_struct *vma)
>> {
>> #ifdef CONFIG_LOCKDEP
>> + if (!vma->vm_file)
>> + return;
>> +
>
>Hmm I guess I wasn't careful enough here as I was mostly only thinking
>about file mappings, but I just notice we have other pfnmaps like the vvar
>mappings.. the mapping var can also already be reused later when available.
>
>Logically even if !vm_file we can still check against mmap write lock. So
>would it be better to do this instead:
>
> struct address_space *mapping = vma->vm_file && vma->vm_file->f_mapping;
>
This will lead to `-Wint-conversion` error in the assignment. We can either do a
cast like the following:
struct address_space *mapping = (struct address_space *)(vma->vm_file && vma->vm_file->f_mapping);
But I am not sure if it is the canonical way of doing it. It will also lead to
warning about pointer from integer casting.
Or will a conditional like this work here?
struct address_space *mapping = vma->vm_file ? vma->vm_file->f_mapping : NULL;
> if (mapping)
> lockdep_assert(lockdep_is_held(&mapping->i_mmap_rwsem) ||
> lockdep_is_held(&vma->vm_mm->mmap_lock));
> else
> lockdep_assert(lockdep_is_held(&vma->vm_mm->mmap_lock));
>
>?
>
>> struct address_space *mapping = vma->vm_file->f_mapping;
>>
>> if (mapping)
>>
>> ---
>> base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc
>> change-id: 20241003-fix-null-deref-6bfa0337efc3
>>
>> Best regards,
>> --
>> Manas <manas18244@...td.ac.in>
>>
>>
>>
>
>--
>Peter Xu
>
--
Manas
Powered by blists - more mailing lists