| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <16c97e30-19c9-41e8-b73b-c0b3c8eceff3@suse.cz> Date: Wed, 23 Jul 2025 19:32:24 +0200 From: Vlastimil Babka <vbabka@...e.cz> To: Jann Horn <jannh@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, "Liam R. Howlett" <Liam.Howlett@...cle.com>, Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, Suren Baghdasaryan <surenb@...gle.com> Cc: Pedro Falcato <pfalcato@...e.de>, Linux-MM <linux-mm@...ck.org>, kernel list <linux-kernel@...r.kernel.org> Subject: Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU On 7/23/25 18:26, Jann Horn wrote: > There's a racy UAF in `vma_refcount_put()` when called on the > `lock_vma_under_rcu()` path because `SLAB_TYPESAFE_BY_RCU` is used > without sufficient protection against concurrent object reuse: Oof. > I'm not sure what the right fix is; I guess one approach would be to > have a special version of vma_refcount_put() for cases where the VMA > has been recycled by another MM that grabs an extra reference to the > MM? But then dropping a reference to the MM afterwards might be a bit > annoying and might require something like mmdrop_async()... Would we need mmdrop_async()? Isn't this the case for mmget_not_zero() and mmput_async()?
Powered by blists - more mailing lists