| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b5ffe4ad-690d-4668-97c2-9b94fc1da32b@lucifer.local>
Date: Mon, 5 Jan 2026 15:32:17 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: "Liam R. Howlett" <Liam.Howlett@...cle.com>,
Harry Yoo <harry.yoo@...cle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Vlastimil Babka <vbabka@...e.cz>, Jann Horn <jannh@...gle.com>,
Pedro Falcato <pfalcato@...e.de>, Yeoreum Yun <yeoreum.yun@....com>,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
David Hildenbrand <david@...nel.org>,
Jeongjun Park <aha310510@...il.com>, Rik van Riel <riel@...riel.com>
Subject: Re: [PATCH] mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted
merge
On Mon, Jan 05, 2026 at 10:24:13AM -0500, Liam R. Howlett wrote:
> > mremap()
> > |-----------------------------------|
> > | |
> > v |
> > [ VMA C, unfaulted ][ gap ][ VMA B, unfaulted ][ gap ][ VMA A, faulted ]
>
> The key part here is that target == prev in this case (as stated in the
> email linked). So we're going to dup nothing, but we really need to dup
> VMA A's anon vma - right?
Yup.
There are a number other cases like this, mremap() of anon breaks things,
because the copy_vma() case violates sensible assumptions, in the way anon
mremap() violates many other sensible assumptions.
I have a generalised fix I'm just finishing up the tests for it now.
You'll see exactly which cases in the v2 which I'll send later today.
I also noticed another issue which I'll fix in the same series...
Happy New Year! ;)
Powered by blists - more mailing lists