+ mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed.patch added to -mm tree

[Andrew Morton <akpm@linux-foundation.org>]

The patch titled
     Subject: mm: fix use-after-free when anon vma name is used after vma is freed
has been added to the -mm tree.  Its filename is
     mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed.patch

This patch should soon appear at
    https://ozlabs.org/~akpm/mmots/broken-out/mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed.patch
and later at
    https://ozlabs.org/~akpm/mmotm/broken-out/mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Suren Baghdasaryan <surenb@google.com>
Subject: mm: fix use-after-free when anon vma name is used after vma is freed

When adjacent vmas are being merged it can result in the vma that was
originally passed to madvise_update_vma being destroyed.  In the current
implementation, the name parameter passed to madvise_update_vma points
directly to vma->anon_name->name and it is used after the call to
vma_merge.  In the cases when vma_merge merges the original vma and
destroys it, this will result in use-after-free bug as shown below:

madvise_vma_behavior << passes vma->anon_name->name as name param
  madvise_update_vma(name)
    vma_merge
      __vma_adjust
        vm_area_free <-- frees the vma
    replace_vma_anon_name(name) <-- UAF

Fix this by passing madvise_update_vma a copy of the name.

Link: https://lkml.kernel.org/r/20220210001801.15413-1-surenb@google.com
Fixes: 9a10064f5625 ("mm: add a field to store names for private anonymous memory")
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Reported-by: <syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com>
Cc: Colin Cross <ccross@google.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Alexey Gladkov <legion@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Chris Hyser <chris.hyser@oracle.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Peter Collingbourne <pcc@google.com>
Cc: Xiaofeng Cao <caoxiaofeng@yulong.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/mm.h |    2 ++
 kernel/sys.c       |    1 -
 mm/madvise.c       |   14 +++++++++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

--- a/include/linux/mm.h~mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed
+++ a/include/linux/mm.h
@@ -3370,6 +3370,8 @@ static inline int seal_check_future_writ
 	return 0;
 }
 
+#define ANON_VMA_NAME_MAX_LEN	80
+
 #ifdef CONFIG_ANON_VMA_NAME
 int madvise_set_anon_name(struct mm_struct *mm, unsigned long start,
 			  unsigned long len_in, const char *name);
--- a/kernel/sys.c~mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed
+++ a/kernel/sys.c
@@ -2263,7 +2263,6 @@ int __weak arch_prctl_spec_ctrl_set(stru
 
 #ifdef CONFIG_ANON_VMA_NAME
 
-#define ANON_VMA_NAME_MAX_LEN		80
 #define ANON_VMA_NAME_INVALID_CHARS	"\\`$[]"
 
 static inline bool is_valid_name_char(char ch)
--- a/mm/madvise.c~mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed
+++ a/mm/madvise.c
@@ -976,6 +976,8 @@ static int madvise_vma_behavior(struct v
 {
 	int error;
 	unsigned long new_flags = vma->vm_flags;
+	char name_buf[ANON_VMA_NAME_MAX_LEN];
+	const char *anon_name;
 
 	switch (behavior) {
 	case MADV_REMOVE:
@@ -1040,8 +1042,18 @@ static int madvise_vma_behavior(struct v
 		break;
 	}
 
+	anon_name = vma_anon_name(vma);
+	if (anon_name) {
+		/*
+		 * Make a copy of the name because vma might be destroyed when
+		 * merged with another one and the name parameter might be used
+		 * after that.
+		 */
+		strcpy(name_buf, anon_name);
+		anon_name = name_buf;
+	}
 	error = madvise_update_vma(vma, prev, start, end, new_flags,
-				   vma_anon_name(vma));
+				   anon_name);
 
 out:
 	/*
_

Patches currently in -mm which might be from surenb@google.com are

mm-fix-uaf-when-anon-vma-name-is-used-after-vma-is-freed.patch