lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <70f78ae0-481f-4096-af82-fe5a9f131eb3@bytedance.com>
Date: Mon, 9 Dec 2024 16:09:40 +0800
From: Qi Zheng <zhengqi.arch@...edance.com>
To: Yu Zhao <yuzhao@...gle.com>
Cc: syzbot <syzbot+1c58afed1cfd2f57efee@...kaller.appspotmail.com>,
 David Hildenbrand <david@...hat.com>, Jann Horn <jannh@...gle.com>,
 Hugh Dickins <hughd@...gle.com>, Muchun Song <muchun.song@...ux.dev>,
 akpm@...ux-foundation.org, bp@...en8.de, dave.hansen@...ux.intel.com,
 hpa@...or.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org,
 mingo@...hat.com, syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
 x86@...nel.org
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in move_pages_pte



On 2024/12/9 15:56, Yu Zhao wrote:
> On Mon, Dec 9, 2024 at 12:00 AM Qi Zheng <zhengqi.arch@...edance.com> wrote:

[...]

>>>>
>>>> If you want syzbot to run the reproducer, reply with:
>>>> #syz test: git://repo/address.git branch-or-commit-hash
>>>> If you attach or paste a git patch, syzbot will apply it before testing.
>>
>> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git
>> mm-unstable
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index 83fd35c034d7a..28526a4205d1b 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -7023,7 +7023,7 @@ static struct kmem_cache *page_ptl_cachep;
>>    void __init ptlock_cache_init(void)
>>    {
>>           page_ptl_cachep = kmem_cache_create("page->ptl",
>> sizeof(spinlock_t), 0,
>> -                       SLAB_PANIC, NULL);
>> +                       SLAB_PANIC|SLAB_TYPESAFE_BY_RCU, NULL);
> 
> Note that `SLAB_TYPESAFE_BY_RCU` works by freeing the entire slab (the
> page containing the objects) with RCU, not individual objects.
> 
> So I don't think this would work. A PTL object can be re-allocated to
> someone else, and that new user can re-initialize it. So trying to
> concurrently lock it under RCU read lock would also be use-after-free.
> 

Got it. Thanks for pointing this out! So we should put ptlock_free()
into the RCU callback instead of enabling SLAB_TYPESAFE_BY_RCU for
page_ptl_cachep.

>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ