Re: security, hugetlbfs: write to user memory in hugetlbfs_destroy_inode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/23/2017 06:49 AM, Tetsuo Handa wrote:
> Dmitry Vyukov wrote:
>> On Thu, Mar 23, 2017 at 2:06 PM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
>>> Hello,
>>>
>>> I've got the following report while running syzkaller fuzzer on
>>> 093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Note the preceding injected
>>> kmalloc failure in inode_alloc_security, most likely it's the root
>>> cause.
> 
> I don't think inode_alloc_security() failure is the root cause.
> I think this is a bug in hugetlbfs or mm part.
> 
> If inode_alloc_security() fails, inode->i_security remains NULL
> which was initialized to NULL at security_inode_alloc(). Thus,
> security_inode_alloc() is irrelevant to this problem.
> 
> inode_init_always() returned -ENOMEM due to fault injection and
> 
> 	if (unlikely(inode_init_always(sb, inode))) {
> 		if (inode->i_sb->s_op->destroy_inode)
> 			inode->i_sb->s_op->destroy_inode(inode);
> 		else
> 			kmem_cache_free(inode_cachep, inode);
> 		return NULL;
> 	}
> 
> hugetlbfs_destroy_inode() was called via inode->i_sb->s_op->destroy_inode()
> when inode initialization failed
> 
> static void hugetlbfs_destroy_inode(struct inode *inode)
> {
> 	hugetlbfs_inc_free_inodes(HUGETLBFS_SB(inode->i_sb));
> 	mpol_free_shared_policy(&HUGETLBFS_I(inode)->policy);
> 	call_rcu(&inode->i_rcu, hugetlbfs_i_callback);
> }
> 
> but mpol_shared_policy_init() is called only when new_inode() succeeds.
> 
> 	inode = new_inode(sb);
> 	if (inode) {
> (...snipped...)
> 		info = HUGETLBFS_I(inode);
> 		/*
> 		 * The policy is initialized here even if we are creating a
> 		 * private inode because initialization simply creates an
> 		 * an empty rb tree and calls rwlock_init(), later when we
> 		 * call mpol_free_shared_policy() it will just return because
> 		 * the rb tree will still be empty.
> 		 */
> 		mpol_shared_policy_init(&info->policy, NULL);
> 

Thank you for analysis (and Dmitry for reporting).

This certainly does look like a hugetlbfs bug.  I will put together a
patch to fix.

-- 
Mike Kravetz

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]
  Powered by Linux