| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <97938dc6-5dfe-4591-ba53-3729934c1235@suse.cz>
Date: Mon, 28 Jul 2025 19:39:08 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: Suren Baghdasaryan <surenb@...gle.com>
Cc: akpm@...ux-foundation.org, jannh@...gle.com, Liam.Howlett@...cle.com,
lorenzo.stoakes@...cle.com, pfalcato@...e.de, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 1/1] mm: fix a UAF when vma->mm is freed after
vma->vm_refcnt got dropped
On 7/28/25 19:37, Suren Baghdasaryan wrote:
> On Mon, Jul 28, 2025 at 10:19 AM Vlastimil Babka <vbabka@...e.cz> wrote:
>> > + */
>> > + if (unlikely(vma->vm_mm != mm)) {
>> > + /*
>> > + * __mmdrop() is a heavy operation and we don't need RCU
>> > + * protection here. Release RCU lock during these operations.
>> > + */
>> > + rcu_read_unlock();
>> > + mmgrab(vma->vm_mm);
>> > + vma_refcount_put(vma);
>>
>> The vma can go away here.
>
> No, the vma can't go away here because we are holding vm_refcnt. So,
> the vma and its mm are stable up until vma_refcount_put() drops
> vm_refcnt.
But that's exactly what we're doing here?
>>
>> > + mmdrop(vma->vm_mm);
And here we reference the vma again?
>> So we need to copy the vma->vm_mm first?
>>
>> > + rcu_read_lock();
>> > + return NULL;
>> > + }
>> > +
>> > /*
>> > * Overflow of vm_lock_seq/mm_lock_seq might produce false locked result.
>> > * False unlocked result is impossible because we modify and check
Powered by blists - more mailing lists