The patch titled
Subject: ipc/shm: fix use-after-free of shm file via remap_file_pages()
has been added to the -mm tree. Its filename is
ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages-v2.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages-v2.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages-v2.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Eric Biggers <ebiggers@xxxxxxxxxx>
Subject: ipc/shm: fix use-after-free of shm file via remap_file_pages()
add comment
Link: http://lkml.kernel.org/r/20180410192850.235835-1-ebiggers3@xxxxxxxxx
Reported-by: syzbot+d11f321e7f1923157eac80aa990b446596f46439@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: c8d78c1823f4 ("mm: replace remap_file_pages() syscall with emulation")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Acked-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx>
Cc: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Cc: "Eric W . Biederman" <ebiederm@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
ipc/shm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff -puN ipc/shm.c~ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages-v2 ipc/shm.c
--- a/ipc/shm.c~ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages-v2
+++ a/ipc/shm.c
@@ -1440,6 +1440,15 @@ long do_shmat(int shmid, char __user *sh
file->f_mapping = shp->shm_file->f_mapping;
sfd->id = shp->shm_perm.id;
sfd->ns = get_ipc_ns(ns);
+ /*
+ * We need to take a reference to the real shm file to prevent the
+ * pointer from becoming stale in cases where the lifetime of the outer
+ * file extends beyond that of the shm segment. It's not usually
+ * possible, but it can happen during remap_file_pages() emulation as
+ * that unmaps the memory, then does ->mmap() via file reference only.
+ * We'll deny the ->mmap() if the shm segment was since removed, but to
+ * detect shm ID reuse we need to compare the file pointers.
+ */
sfd->file = get_file(shp->shm_file);
sfd->vm_ops = NULL;
_
Patches currently in -mm which might be from ebiggers@xxxxxxxxxx are
ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages.patch
ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages-v2.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
