On 2019/8/15 17:54, Oleg Nesterov wrote: > On 08/15, Kefeng Wang wrote: >> >> On 2019/8/14 23:41, Oleg Nesterov wrote: >>> >>> Heh, I didn't notice you too mentioned userfaultfd_release() in your email. >>> can you try the patch below? >> >> Your patch below fixes the issue, could you send a formal patch ASAP and also it >> should be queued into stable, I have test lts4.4, it works too, thanks. > > Thanks. > > Yes, I _think_ we need something like this patch anyway, but it needs more > discussion. And it is not clear if it really fixes this issue or it hides > another bug. > OK, hope more specialists notice this issue and comment it. > >> I built kernel with wrong gcc version, and the KASAN is not enabled, When KASAN enabled, >> there is an UAF, >> >> [ 67.393442] ================================================================== >> [ 67.395531] BUG: KASAN: use-after-free in handle_userfault+0x12f/0xc70 >> [ 67.397001] Read of size 8 at addr ffff8883c622c160 by task syz-executor.9/5225 > > OK, thanks this probably confirms that .ctx points to nowhere because it > was freed by userfaultfd_release() without clearing vm_flags/userfaultfd_ctx. The patch do fix the UAF and avoid panic, and it doesn't seem to cause new issue, even if there are some another issue, it can be fixed later :) > > But, > >> [ 67.430243] RIP: 0010:copy_user_handle_tail+0x2/0x10 >> [ 67.431586] Code: c3 0f 1f 80 00 00 00 00 66 66 90 83 fa 40 0f 82 70 ff ff ff 89 d1 f3 a4 31 c0 66 66 90 c3 66 2e 0f 1f 84 00 00 00 00 00 89 d1 <f3> a4 89 c8 66 66 90 c3 66 0f 1f 44 00 00 66 66 90 83 fa 08 0f 82 >> [ 67.436978] RSP: 0018:ffff8883c4e8f908 EFLAGS: 00010246 >> [ 67.438743] RAX: 0000000000000001 RBX: 0000000020ffd000 RCX: 0000000000001000 >> [ 67.441101] RDX: 0000000000001000 RSI: 0000000020ffd000 RDI: ffff8883c0aa4000 >> [ 67.442865] RBP: 0000000000001000 R08: ffffed1078154a00 R09: 0000000000000000 >> [ 67.444534] R10: 0000000000000200 R11: ffffed10781549ff R12: ffff8883c0aa4000 >> [ 67.446216] R13: ffff8883c6096000 R14: ffff88837721f838 R15: ffff8883c6096000 >> [ 67.448388] _copy_from_user+0xa1/0xd0 >> [ 67.449655] mcopy_atomic+0xb3d/0x1380 >> [ 67.450991] ? lock_downgrade+0x3a0/0x3a0 >> [ 67.452337] ? mm_alloc_pmd+0x130/0x130 >> [ 67.453618] ? __might_fault+0x7d/0xe0 >> [ 67.454980] userfaultfd_ioctl+0x14a2/0x1c30 > > This must not be called after __fput(). So I think there is something else, > may by just an unbalanced userfaultfd_ctx_put(). I dunno, I know nothing > about usefaultfd. There are different processes, maybe some concurrency problems. > > It would be nice to understand what this reproducer does... I tried strace -f the reproducer, but can't find any useful info. > > Oleg. > > > . >
