Re: [PATCH] mm: hugetlb: fix UAF in hugetlb_handle_userfault

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/21/22 16:34, Liu Shixin wrote:
> The vma_lock and hugetlb_fault_mutex are dropped before handling
> userfault and reacquire them again after handle_userfault(), but
> reacquire the vma_lock could lead to UAF[1] due to the following
> race,
> 
> hugetlb_fault
>   hugetlb_no_page
>     /*unlock vma_lock */
>     hugetlb_handle_userfault
>       handle_userfault
>         /* unlock mm->mmap_lock*/
>                                            vm_mmap_pgoff
>                                              do_mmap
>                                                mmap_region
>                                                  munmap_vma_range
>                                                    /* clean old vma */
>         /* lock vma_lock again  <--- UAF */
>     /* unlock vma_lock */
> 
> Since the vma_lock will unlock immediately after hugetlb_handle_userfault(),
> let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix
> the issue.

Thank you very much!

When I saw this report, the obvious fix was to do something like what you have
done below.  That looks fine with a few minor comments.

One question I have not yet answered is, "Does this same issue apply to
follow_hugetlb_page()?".  I believe it does.  follow_hugetlb_page calls
hugetlb_fault which could result in the fault being processed by userfaultfd.
If we experience the race above, then the associated vma could no longer be
valid when returning from hugetlb_fault.  follow_hugetlb_page and callers
have a flag (locked) to deal with dropping mmap lock.  However, I am not sure
if it is handled correctly WRT userfaultfd.  I think this needs to be answered
before fixing.  And, if the follow_hugetlb_page code needs to be fixed it
should be done at the same time.

> [1] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@xxxxxxxxxx/
> Reported-by: Liu Zixian <liuzixian4@xxxxxxxxxx>

Perhaps reported by should be,
Reported-by: syzbot+193f9cee8638750b23cf@xxxxxxxxxxxxxxxxxxxxxxxxx
https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@xxxxxxxxxx/

Should also add,
Fixes: 1a1aad8a9b7b ("userfaultfd: hugetlbfs: add userfaultfd hugetlb hook")

as well as,
Cc: <stable@xxxxxxxxxxxxxxx>

> Signed-off-by: Liu Shixin <liushixin2@xxxxxxxxxx>
> Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
> ---
>  mm/hugetlb.c | 30 +++++++++++-------------------
>  1 file changed, 11 insertions(+), 19 deletions(-)
> 
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 9b8526d27c29..5a5d466692cf 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
...
> @@ -5792,11 +5786,9 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
>  
>  	entry = huge_ptep_get(ptep);
>  	/* PTE markers should be handled the same way as none pte */
> -	if (huge_pte_none_mostly(entry)) {
> -		ret = hugetlb_no_page(mm, vma, mapping, idx, address, ptep,
> +	if (huge_pte_none_mostly(entry))

We should add a big comment noting that hugetlb_no_page will drop vma lock
and hugetl fault mutex.  This will make it easier for people reading the code
and immediately thinking we are returning without dropping the locks.

-- 
Mike Kravetz

> +		return hugetlb_no_page(mm, vma, mapping, idx, address, ptep,
>  				      entry, flags);
> -		goto out_mutex;
> -	}
>  
>  	ret = 0;
>  
> -- 
> 2.25.1
> 




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux