From: Carlos Llamas <cmllamas@google.com>
To: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Christian Brauner" <brauner@kernel.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
"Matthew Wilcox" <willy@infradead.org>,
"Michal Hocko" <mhocko@kernel.org>,
linux-kernel@vger.kernel.org, kernel-team@android.com,
stable@vger.kernel.org, "Minchan Kim" <minchan@kernel.org>
Subject: Re: [PATCH 02/21] binder: fix use-after-free in shinker's callback
Date: Thu, 2 Nov 2023 20:09:42 +0000 [thread overview]
Message-ID: <ZUQCBnPYf_fzlWnD@google.com> (raw)
In-Reply-To: <20231102192051.innr2tbugspgmotw@revolver>
On Thu, Nov 02, 2023 at 03:20:51PM -0400, Liam R. Howlett wrote:
> * Carlos Llamas <cmllamas@google.com> [231102 15:00]:
> > The mmap read lock is used during the shrinker's callback, which means
> > that using alloc->vma pointer isn't safe as it can race with munmap().
>
> I think you know my feelings about the safety of that pointer from
> previous discussions.
>
Yeah. The work here is not done. We actually already store the vm_start
address in alloc->buffer, so in theory we don't even need to swap the
alloc->vma pointer we could just drop it. So, I agree with you.
I want to include this saftey "fix" along with some other work that uses
the page fault handler and get_user_pages_remote(). I've tried a quick
prototype of this and it works fine.
> > diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
> > index e3db8297095a..c4d60d81221b 100644
> > --- a/drivers/android/binder_alloc.c
> > +++ b/drivers/android/binder_alloc.c
> > @@ -1005,7 +1005,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
> > goto err_mmget;
> > if (!mmap_read_trylock(mm))
> > goto err_mmap_read_lock_failed;
> > - vma = binder_alloc_get_vma(alloc);
> > + vma = vma_lookup(mm, page_addr);
> > + if (vma && vma != binder_alloc_get_vma(alloc))
> > + goto err_invalid_vma;
>
> Doesn't this need to be:
> if (!vma || vma != binder_alloc_get_vma(alloc))
>
> This way, we catch a different vma and a NULL vma.
>
> Or even, just:
> if (vma != binder_alloc_get_vma(alloc))
>
> if the alloc vma cannot be NULL?
>
If the vma_lookup() is NULL then we still need to isolate and free the
given binder page and we obviously skip the zap() in this case.
However, if we receive a random unexpected vma because of a corrupted
address or similar, then the whole process is skipped.
Thus, why we use the check above.
--
Carlos Llamas
next prev parent reply other threads:[~2023-11-02 20:09 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-02 18:59 [PATCH 00/21] binder: convert alloc->mutex to spinlock Carlos Llamas
2023-11-02 18:59 ` [PATCH 01/21] binder: use EPOLLERR from eventpoll.h Carlos Llamas
2023-11-07 9:07 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 02/21] binder: fix use-after-free in shinker's callback Carlos Llamas
2023-11-02 19:20 ` Liam R. Howlett
2023-11-02 20:09 ` Carlos Llamas [this message]
2023-11-02 20:27 ` Liam R. Howlett
2023-11-07 9:07 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 03/21] binder: fix race between mmput() and do_exit() Carlos Llamas
2023-11-07 9:07 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 04/21] binder: fix async space check for 0-sized buffers Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 05/21] binder: fix trivial typo of binder_free_buf_locked() Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 6:52 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 06/21] binder: fix comment on binder_alloc_new_buf() return value Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 07/21] binder: remove extern from function prototypes Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 08/21] binder: keep vma addresses type as unsigned long Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:01 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 09/21] binder: split up binder_update_page_range() Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:03 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 10/21] binder: do unlocked work in binder_alloc_new_buf() Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:10 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 11/21] binder: remove pid param " Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 12/21] binder: separate the no-space debugging logic Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 13/21] binder: relocate low space calculation Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:12 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 14/21] binder: do not add pages to LRU in release path Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:15 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 15/21] binder: relocate binder_alloc_clear_buf() Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 16/21] binder: refactor page range allocation Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:19 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 17/21] binder: malloc new_buffer outside of locks Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:20 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 18/21] binder: initialize lru pages in mmap callback Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-11-02 18:59 ` [PATCH 19/21] binder: perform page allocation outside of locks Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:39 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 20/21] binder: reverse locking order in shrinker callback Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:42 ` Carlos Llamas
2023-11-02 18:59 ` [PATCH 21/21] binder: switch alloc->mutex to spinlock_t Carlos Llamas
2023-11-07 9:08 ` Alice Ryhl
2023-12-01 7:46 ` Carlos Llamas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZUQCBnPYf_fzlWnD@google.com \
--to=cmllamas@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=kernel-team@android.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=mhocko@kernel.org \
--cc=minchan@kernel.org \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
--cc=tkjos@android.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.