Re: [PATCH v4 1/7] userfaultfd: move core VMA manipulation logic to mm/userfaultfd.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 07, 2024 at 11:45:56AM GMT, Pengfei Xu wrote:
> Hi Lorenzo Stoakes,
>
> Greetings!
>
> I used syzkaller and found
> KASAN: slab-use-after-free Read in userfaultfd_set_ctx in next-20240805.
>
> Bisected the first bad commit:
> 4651ba8201cf userfaultfd: move core VMA manipulation logic to mm/userfaultfd.c
>
> All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/240806_122723_userfaultfd_set_ct

[snip]

Andrew - As this is so small, could you take this as a fix-patch? The fix
is enclosed below.


Pengfei - Sorry for the delay on getting this resolved, I was struggling to
repro with my usual dev setup, after trying a lot of things I ended up
using the supplied repro env and was able to do so there.

(I suspect that VMAs are laid out slightly differently in my usual arch base
image perhaps based on tunables, and this was the delta on that!)

Regardless, I was able to identify the cause - we incorrectly pass a stale
pointer to userfaultfd_reset_ctx() if a merge is performed in
userfaultfd_clear_vma().

This was a subtle mistake on my part, I don't see any other instances like
this in the patch.

Syzkaller managed to get this merge to happen and kasan picked up on it, so
thank you very much for supplying the infra!

The fix itself is very simple, a one-liner, enclosed below.

----8<----

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux