On Mon, Jan 24, 2022, Tadeusz Struk wrote: > On 1/24/22 10:29, Sean Christopherson wrote: > > On Mon, Jan 24, 2022, Paolo Bonzini wrote: > > > On 1/24/22 18:26, Tadeusz Struk wrote: > > > > Syzbot reported an use-after-free bug in update_accessed_dirty_bits(). > > > > Fix this by checking if the memremap'ed pointer is still valid. > > > access_ok only checks that the pointer is in the userspace range. Is this > > > correct? And if so, what are the exact circumstances in which access_ok > > > returns a non-NULL but also non-userspace address? > > I "objected" to this patch in its initial posting[*]. AFAICT adding access_ok() > > is just masking a more egregious bug where interpretation of vm_pgoff as a PFN > > base is flat out wrong except for select backing stores that use VM_PFNMAP. In > > other words, the vm_pgoff hack works for the /dev/mem use case, but it is wrong > > in general. > > > > The issue here is not related to /dev/mem, but binder allocated memory, which is > yet another special mapping use case. In this case the condition > > if (!vma || !(vma->vm_flags & VM_PFNMAP)) > > doesn't cover this special mappings. Adding the access_ok() was my something > that fixed the use-after-free issue for me, and since I didn't have anything > better I thought I will send an RFC to start some discussion. > After some more debugging I came up with the bellow. > Will that be more acceptable? I'm pretty sure anything that keeps the vm_pgoff "logic" is a band-aid. But I'm 99% sure we can simply do cmpxchg directly on the user address, we just need to get support for that, which has happily been posted[*]. I'll give that a shot tomorrow, I want to convert similar code in the emulator, it'd be very nice to purge all of this crud. [*] https://lore.kernel.org/all/20220120160822.852009966@xxxxxxxxxxxxx
