Re: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers@kernel.org>
To: Lokesh Gidra <lokeshgidra@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	casey@schaufler-ca.com, James Morris <jmorris@namei.org>,
	Kalesh Singh <kaleshsingh@google.com>,
	Daniel Colascione <dancol@dancol.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	Nick Kralevich <nnk@google.com>,
	Jeffrey Vander Stoep <jeffv@google.com>,
	Calin Juravle <calin@google.com>,
	kernel-team@android.com, yanfei.xu@windriver.com,
	syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
Subject: Re: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC
Date: Tue, 4 Aug 2020 13:58:46 -0700	[thread overview]
Message-ID: <20200804205846.GB1992048@gmail.com> (raw)
In-Reply-To: <CA+EESO6XGpiTLnxPraZqBigY7mh6G2jkHa2PKXaHXpzdrZd4wA@mail.gmail.com>

On Tue, Aug 04, 2020 at 01:49:30PM -0700, Lokesh Gidra wrote:
> On Tue, Aug 4, 2020 at 1:45 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Tue, Aug 04, 2020 at 01:31:55PM -0700, Lokesh Gidra wrote:
> > > when get_unused_fd_flags returns error, ctx will be freed by
> > > userfaultfd's release function, which is indirectly called by fput().
> > > Also, if anon_inode_getfile_secure() returns an error, then
> > > userfaultfd_ctx_put() is called, which calls mmdrop() and frees ctx.
> > >
> > > Also, the O_CLOEXEC was inadvertently added to the call to
> > > get_unused_fd_flags() [1].
> > >
> > > Adding Al Viro's suggested-by, based on [2].
> > >
> > > [1] https://lore.kernel.org/lkml/1f69c0ab-5791-974f-8bc0-3997ab1d61ea@dancol.org/
> > > [2] https://lore.kernel.org/lkml/20200719165746.GJ2786714@ZenIV.linux.org.uk/
> > >
> > > Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
> > > Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
> > > Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
> > > Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
> >
> > What branch does this patch apply to?  Neither mainline nor linux-next works.
> >
> On James Morris' tree (secure_uffd_v5.9 branch).
> 

For those of us not "in the know", that apparently means branch secure_uffd_v5.9
of https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git

Perhaps it would make more sense to resend your original patch series with this
fix folded in?

> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index ae859161908f..e15eb8fdc083 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -2042,24 +2042,18 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
>  		O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS),
>  		NULL);
>  	if (IS_ERR(file)) {
> -		fd = PTR_ERR(file);
> -		goto out;
> +		userfaultfd_ctx_put(ctx);
> +		return PTR_ERR(file);
>  	}
>  
> -	fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
> +	fd = get_unused_fd_flags(O_RDONLY);
>  	if (fd < 0) {
>  		fput(file);
> -		goto out;
> +		return fd;
>  	}
>  
>  	ctx->owner = file_inode(file);
>  	fd_install(fd, file);
> -
> -out:
> -	if (fd < 0) {
> -		mmdrop(ctx->mm);
> -		kmem_cache_free(userfaultfd_ctx_cachep, ctx);
> -	}
>  	return fd;

This introduces the opposite bug: now it's hardcoded to *not* use O_CLOEXEC,
instead of using the flag the user passed in the flags argument to the syscall.

- Eric

next prev parent reply	other threads:[~2020-08-04 20:58 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-04 20:31 [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC Lokesh Gidra
2020-08-04 20:45 ` Eric Biggers
2020-08-04 20:49   ` Lokesh Gidra
2020-08-04 20:58     ` Eric Biggers [this message]
2020-08-04 23:34       ` Lokesh Gidra
2020-08-05  3:47 ` Aleksa Sarai
2020-08-05  4:08   ` Eric Biggers
2020-08-05  4:54     ` Lokesh Gidra
2020-08-06 23:59     ` Aleksa Sarai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200804205846.GB1992048@gmail.com \
    --to=ebiggers@kernel.org \
    --cc=calin@google.com \
    --cc=casey@schaufler-ca.com \
    --cc=dancol@dancol.org \
    --cc=jeffv@google.com \
    --cc=jmorris@namei.org \
    --cc=kaleshsingh@google.com \
    --cc=kernel-team@android.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lokeshgidra@google.com \
    --cc=nnk@google.com \
    --cc=stephen.smalley.work@gmail.com \
    --cc=surenb@google.com \
    --cc=syzbot+75867c44841cb6373570@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=yanfei.xu@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.