From: Minchan Kim <minchan@kernel.org>
To: Nitin Gupta <ngupta@vflare.org>
Cc: Greg KH <greg@kroah.com>, Jerome Marchand <jmarchan@redhat.com>,
Seth Jennings <sjenning@linux.vnet.ibm.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Sam Hansen <solid.se7en@gmail.com>, Tomas M <tomas@slax.org>,
Mihail Kasadjikov <hamer.mk@gmail.com>,
Linux Driver Project <devel@linuxdriverproject.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] zram: Fix use-after-free bug in disk write case
Date: Thu, 29 Nov 2012 17:47:34 +0900 [thread overview]
Message-ID: <20121129084734.GA11840@blaptop> (raw)
In-Reply-To: <50B7205E.20607@vflare.org>
On Thu, Nov 29, 2012 at 12:44:14AM -0800, Nitin Gupta wrote:
> On 11/28/2012 11:55 PM, Minchan Kim wrote:
> >Hi Nitin,
> >
> >On Wed, Nov 28, 2012 at 11:45:06PM -0800, Nitin Gupta wrote:
> >>Changelog v2 vs v1:
> >> - Changelog message now correctly explains the problem
> >>
> >>Fixes a bug introduced by commit c8f2f0db1 ("zram: Fix handling
> >>of incompressible pages") which caused a freed buffer to be used
> >>in case a partial write (non PAGE_SIZED) request is received and
> >>the data is found to be incompressible.
> >>
> >>Fixes bug 50081:
> >>https://bugzilla.kernel.org/show_bug.cgi?id=50081
> >
> >When I saw https://bugzilla.kernel.org/attachment.cgi?id=85571, it was
> >swap write usecase so parital write can not happen.
> >So this bug isn't related to freed buffer caused by partial write.
> >
> >This bug is related to unmapped buffer access.
> >
> >1) user_mem = kmap_atomic
> >2) uncmem = usermem
> >3) compress
> >4) kunmap_atomic(usermem) <-- So, uncmem is dangling.
> >5) src = uncmem; <-- So, src is dangling.
> >6) memcpy(cmem, src, clen) <-- HIT
> >
>
> This is what I had in mind, still missed it in description. Will
> repost with updated description as below:
>
> zram: fix invalid memory references during disk write
>
> Fixes a bug introduced by commit c8f2f0db1 ("zram: Fix handling
> of incompressible pages") which caused invalid memory references
> during disk write. Invalid references could occur in two cases:
> - Incoming data expands on compression: In this case, reference was
> made to kunmap()'ed bio page.
> - Partial (non PAGE_SIZE) write with incompressible data: In this
> case, reference was made to a kfree()'ed buffer.
>
>
> Please let me know if the description looks okay.
Looks good to me.
Thanks!
--
Kind regards,
Minchan Kim
prev parent reply other threads:[~2012-11-29 8:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-29 7:45 [PATCH v2] zram: Fix use-after-free bug in disk write case Nitin Gupta
2012-11-29 7:55 ` Minchan Kim
2012-11-29 8:44 ` Nitin Gupta
2012-11-29 8:47 ` Minchan Kim [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121129084734.GA11840@blaptop \
--to=minchan@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=devel@linuxdriverproject.org \
--cc=greg@kroah.com \
--cc=hamer.mk@gmail.com \
--cc=jmarchan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ngupta@vflare.org \
--cc=sjenning@linux.vnet.ibm.com \
--cc=solid.se7en@gmail.com \
--cc=tomas@slax.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.