"Matthew Wilcox (Oracle)" <willy@xxxxxxxxxxxxx> writes:
> I'm not sure if the VMA list can change under us, but dump_vma_snapshot()
> is very careful to take the mmap_lock in write mode. We only need to
> take it in read mode here as we do not care if the size of the stack
> VMA changes underneath us.
>
> If it can be changed underneath us, this is a potential use-after-free
> for a multithreaded process which is dumping core.
The problem is not multi-threaded process so much as processes that
share their mm.
I think rather than take a lock we should be using the snapshot captured
with dump_vma_snapshot. Otherwise we have the very real chance that the
two get out of sync. Which would result in a non-sense core file.
Probably that means that dump_vma_snapshot needs to call get_file on
vma->vm_file store it in core_vma_metadata.
Do you think you can fix it something like that?
Eric
> Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files")
> Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
> Reviewed-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
> ---
> fs/binfmt_elf.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 605017eb9349..dc2318355762 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -1651,6 +1651,7 @@ static int fill_files_note(struct memelfnote *note)
> name_base = name_curpos = ((char *)data) + names_ofs;
> remaining = size - names_ofs;
> count = 0;
> + mmap_read_lock(mm);
> for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) {
> struct file *file;
> const char *filename;
> @@ -1661,6 +1662,7 @@ static int fill_files_note(struct memelfnote *note)
> filename = file_path(file, name_curpos, remaining);
> if (IS_ERR(filename)) {
> if (PTR_ERR(filename) == -ENAMETOOLONG) {
> + mmap_read_unlock(mm);
> kvfree(data);
> size = size * 5 / 4;
> goto alloc;
> @@ -1680,6 +1682,7 @@ static int fill_files_note(struct memelfnote *note)
> *start_end_ofs++ = vma->vm_pgoff;
> count++;
> }
> + mmap_read_unlock(mm);
>
> /* Now we know exact count of files, can store it */
> data[0] = count;
