Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used after vma is freed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 17, 2022 at 11:54 AM Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
>
> On Wed, Feb 16, 2022 at 12:06 AM Michal Hocko <mhocko@xxxxxxxx> wrote:
> >
> > On Tue 15-02-22 15:02:54, Suren Baghdasaryan wrote:
> > > On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko <mhocko@xxxxxxxx> wrote:
> > > >
> > > > One thing I was considering is to check agains ref counte overflo (a
> > > > deep process chain with many vmas could grow really high. ref_count
> > > > interface doesn't provide any easy way to check for overflows as far as
> > > > I could see from a quick glance so I gave up there but the logic would
> > > > be really straightforward. We just create a new anon_vma_name with the same
> > > > content and use it when duplicating if the usage grow really
> > > > (arbitrarily) high.
> > >
> > > I went over proposed changes. I see a couple small required fixes
> > > (resetting the name to NULL seems to be missing and I think
> > > dup_vma_anon_name needs some tweaking) but overall quite
> > > straight-forward.
> >
> > OK, great that this makes sense to you. As I've said I didn't really go
> > into details, not even dared to boot that to test. So it will very
> > likely need some more work but I do not expect this to grow much.
> >
> > > I'll post a separate patch to do this refactoring.
> > > The original patch is fixing the UAF issue, so I don't want to mix it
> > > with refactoring. Please let me know if you see an issue with
> > > separating it that way.
> >
> > Well, I am not sure TBH. Look at diffstats. Your fix
> > 2 files changed, 63 insertions(+), 17 deletions(-)
> > the refactoring which should fix this and potentially others that might
> > be still lurking there (because mixing shared pointers and their internal
> > objects just begs for problems) is
> > 7 files changed, 63 insertions(+), 86 deletions(-)
> >
> > more files touched for sure but the net result is much more clear and a
> > much more code removed.
> > The overflow logic would make it bigger but I guess the existing scheme
> > needs it as well.
>
> Ok, I'll see how to slice it after it's complete and tested.
> Thanks for the input!

I posted the new patchset that includes:
1. refactoring of the code suggested by Michal:
https://lore.kernel.org/all/20220222054025.3412898-1-surenb@xxxxxxxxxx
2. refcount overflow protection suggested by Michal:
https://lore.kernel.org/all/20220222054025.3412898-2-surenb@xxxxxxxxxx
3. UAF fix (originally implemented by this patch) reimplemented after
the first two changes:
https://lore.kernel.org/all/20220222054025.3412898-3-surenb@xxxxxxxxxx
Hopefully this sequence makes sense.
Thanks,
Suren.

>
> >
> > I would also claim that both approaches are really painful to review
> > because the existing model spreads into several areas and it is not
> > really clear you caught them all just by staring into the diff so both
> > will be rather painful to backport to older kernels. Fortunately this
> > would be only 5.17.
> > --
> > Michal Hocko
> > SUSE Labs




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux