Re: [PATCH] mm/mempolicy: Fix use-after-free of VMA iterator

From: Sven Schnelle
Date: Mon May 01 2023 - 14:25:41 EST

Next message: Tim Chen: "Re: [PATCH v4 00/12] sched: Avoid unnecessary migrations within SMT domains"
Previous message: Daniel Latypov: "Re: [PATCH v2 1/3] kunit: tool: add subscripts for type annotations where appropriate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lorenzo Stoakes <lstoakes@xxxxxxxxx> writes:

> On Thu, Apr 27, 2023 at 01:32:47PM -0400, Liam R. Howlett wrote:
>> * Sven Schnelle <svens@xxxxxxxxxxxxx> [230427 02:53]:
>> > "Liam R. Howlett" <Liam.Howlett@xxxxxxxxxx> writes:
>> >
>> > > set_mempolicy_home_node() iterates over a list of VMAs and calls
>> > > mbind_range() on each VMA, which also iterates over the singular list of
>> > > the VMA passed in and potentially splits the VMA. Since the VMA
>> > > iterator is not passed through, set_mempolicy_home_node() may now point
>> > > to a stale node in the VMA tree. This can result in a UAF as reported
>> > > by syzbot.
>> > >
>> > > Avoid the stale maple tree node by passing the VMA iterator through to
>> > > the underlying call to split_vma().
>> > >
>> > > mbind_range() is also overly complicated, since there are two calling
>> > > functions and one already handles iterating over the VMAs. Simplify
>> > > mbind_range() to only handle merging and splitting of the VMAs.
>> > >
>> > > Align the new loop in do_mbind() and existing loop in
>> > > set_mempolicy_home_node() to use the reduced mbind_range() function.
>> > > This allows for a single location of the range calculation and avoids
>> > > constantly looking up the previous VMA (since this is a loop over the
>> > > VMAs).
>> > >
>> > > Link: https://lore.kernel.org/linux-mm/000000000000c93feb05f87e24ad@xxxxxxxxxx/
>> > > Reported-and-tested-by: syzbot+a7c1ec5b1d71ceaa5186@xxxxxxxxxxxxxxxxxxxxxxxxx
>> > > Fixes: 66850be55e8e ("mm/mempolicy: use vma iterator & maple state instead of vma linked list")
>> > > Cc: <stable@xxxxxxxxxxxxxxx>
>> > > Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
>> > > ---
>> >
>> > This breaks the vma02 testcase from ltp on s390:
>> >
>> > ~ # ./vma02
>> > vma02 0 TINFO : pid = 617 addr = 0x3ff8f673000
>> > vma02 0 TINFO : start = 0x3ff8f673000, end = 0x3ff8f674000
>> > vma02 0 TINFO : start = 0x3ff8f674000, end = 0x3ff8f675000
>> > vma02 0 TINFO : start = 0x3ff8f675000, end = 0x3ff8f676000
>> > vma02 1 TFAIL : vma02.c:144: >1 unmerged VMAs.
>> > Any thoughts?
>>
>> No thoughts that I should share.
>>
>> I will have to boot my s390 (vm) and have a look.
>>
>> Thanks for letting me know.
>>
>> Regards,
>> Liam
>
> I tracked down what this (almost certainly) was + added fix in [1] as it
> popped up as a 6.2.y stable bug. It doesn't seem arch-specific so you can
> put that s390 down :)
>
> [1]:https://lore.kernel.org/all/db42467a692d78c654ec5c1953329401bd8a9c34.1682859234.git.lstoakes@xxxxxxxxx/

Thanks, just tested, and it solves the issue for me.

Next message: Tim Chen: "Re: [PATCH v4 00/12] sched: Avoid unnecessary migrations within SMT domains"
Previous message: Daniel Latypov: "Re: [PATCH v2 1/3] kunit: tool: add subscripts for type annotations where appropriate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]