| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez2aqd3gYV-6fEjhNpQ05_16htPZX+aGZk-iVh07HpBbTQ@mail.gmail.com>
Date: Mon, 2 Jun 2025 21:34:55 +0200
From: Jann Horn <jannh@...gle.com>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Cc: SeongJae Park <sj@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>, David Hildenbrand <david@...hat.com>,
Shakeel Butt <shakeel.butt@...ux.dev>, Vlastimil Babka <vbabka@...e.cz>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, stable@...nel.org, Barry Song <21cnbao@...il.com>
Subject: Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
On Mon, Jun 2, 2025 at 9:28 PM Lorenzo Stoakes
<lorenzo.stoakes@...cle.com> wrote:
> On Mon, Jun 02, 2025 at 09:20:14PM +0200, Jann Horn wrote:
> > @akpm FYI, this looks like it fixes a security bug in 6.15 (probably
> > leads to UAF of VMA structs and page tables by racing madvise(...,
> > MADV_GUARD_INSTALL) with concurrent faults)
>
> Hmm MADV_GUARD_INSTALL / MADV_GUARD_REMOVE require only a read lock, so
> madvise_lock() will be:
>
>
> if (madvise_need_mmap_write(behavior)) { <--- nope
> if (mmap_write_lock_killable(mm))
> return -EINTR;
> } else {
> mmap_read_lock(mm); <---- this branch
> }
> return 0;
>
> So for guard install, which is the only thing that can return -ERESTARTNOINTR
> madvise_lock() ignoring the return value is essentially a no-op no?
>
> Am I missing something?
... you're right, of course. please ignore my needlessly alarmist comment.
(I think it is surprising that the write lock is killable while the
read lock isn't but that's another story)
Powered by blists - more mailing lists