From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E9255C433F5
	for <linux-mm@archiver.kernel.org>; Thu, 10 Feb 2022 15:27:56 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 548DC6B0073; Thu, 10 Feb 2022 10:27:56 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4F6E66B0075; Thu, 10 Feb 2022 10:27:56 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3BE286B007B; Thu, 10 Feb 2022 10:27:56 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0059.hostedemail.com [216.40.44.59])
	by kanga.kvack.org (Postfix) with ESMTP id 2E0CF6B0073
	for <linux-mm@kvack.org>; Thu, 10 Feb 2022 10:27:56 -0500 (EST)
Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id DF773180ACF6C
	for <linux-mm@kvack.org>; Thu, 10 Feb 2022 15:27:55 +0000 (UTC)
X-FDA: 79127250510.15.56F9ABF
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf25.hostedemail.com (Postfix) with ESMTP id 3C15CA0009
	for <linux-mm@kvack.org>; Thu, 10 Feb 2022 15:27:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
	References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description;
	bh=Gynz4GctFraPlMytzPSTNoFqFWVAHNCc0fOzdQVAQao=; b=NR/BHKdbpQZLlGtoCSDgUNPG7O
	Psw60z4N0oxcyitqN37cRew0XqRp4cDUPsyKjL0PxURP+FV2ib53eVf1fPPOGC/N0zcMhJgU+3LOB
	lljmJblJ+yQIlB7KrTDIX9umG6orwo+cfbeelE/IzN3PT3BoEdG7elhwCk399RxvYdd3qcPMYPchy
	Id+Q1MLy8dTsv2lAzpXdjHR2T90uqUiIF87u2sjzXLMaxoso1KjuH9hb5IIAD24aJTfX8DXZHNj5t
	3r+4CIcDjTVb1BtGw2/hXD3f5zknfgMEp2hOx1XOfjHAno8gOPDbmWa/K9JWfXzctbL+QC0eNU+YG
	frimlstw==;
Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nIBLm-009XVY-RL; Thu, 10 Feb 2022 15:27:14 +0000
Date: Thu, 10 Feb 2022 15:27:14 +0000
From: Matthew Wilcox <willy@infradead.org>
To: Suren Baghdasaryan <surenb@google.com>
Cc: Michal Hocko <mhocko@suse.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Colin Cross <ccross@google.com>,
	Sumit Semwal <sumit.semwal@linaro.org>,
	Dave Hansen <dave.hansen@intel.com>,
	Kees Cook <keescook@chromium.org>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Johannes Weiner <hannes@cmpxchg.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>, brauner@kernel.org,
	legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org,
	Chris Hyser <chris.hyser@oracle.com>,
	Davidlohr Bueso <dave@stgolabs.net>,
	Peter Collingbourne <pcc@google.com>, caoxiaofeng@yulong.com,
	David Hildenbrand <david@redhat.com>,
	Cyrill Gorcunov <gorcunov@gmail.com>, linux-mm <linux-mm@kvack.org>,
	LKML <linux-kernel@vger.kernel.org>,
	kernel-team <kernel-team@android.com>,
	syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 1/1] mm: fix use-after-free when anon vma name is used
 after vma is freed
Message-ID: <YgUu0prRt3iu1Cpy@casper.infradead.org>
References: <20220210043215.42794-1-surenb@google.com>
 <YgUHzSqltDp2dr70@dhcp22.suse.cz>
 <CAJuCfpGkW7MoWW=E1tqEib24M3JjxDKF_zgmMnvWo8wJP6cy2g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAJuCfpGkW7MoWW=E1tqEib24M3JjxDKF_zgmMnvWo8wJP6cy2g@mail.gmail.com>
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b="NR/BHKdb";
	spf=none (imf25.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org;
	dmarc=none
X-Stat-Signature: zpnxash1sm41fw8deau5517eqgjiqzza
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: 3C15CA0009
X-Rspam-User: 
X-HE-Tag: 1644506875-833142
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Feb 10, 2022 at 07:18:24AM -0800, Suren Baghdasaryan wrote:
> On Thu, Feb 10, 2022 at 4:40 AM 'Michal Hocko' via kernel-team
> <kernel-team@android.com> wrote:
> >
> > On Wed 09-02-22 20:32:15, Suren Baghdasaryan wrote:
> > > When adjacent vmas are being merged it can result in the vma that was
> > > originally passed to madvise_update_vma being destroyed. In the current
> > > implementation, the name parameter passed to madvise_update_vma points
> > > directly to vma->anon_name->name and it is used after the call to
> > > vma_merge. In the cases when vma_merge merges the original vma and
> > > destroys it, this will result in use-after-free bug as shown below:
> > >
> > > madvise_vma_behavior << passes vma->anon_name->name as name param
> > >   madvise_update_vma(name)
> > >     vma_merge
> > >       __vma_adjust
> > >         vm_area_free <-- frees the vma
> > >     replace_vma_anon_name(name) <-- UAF
> > >
> > > Fix this by raising the name refcount and stabilizing it. Introduce
> > > vma_anon_name_{get/put} API for this purpose.
> >
> > What is the reason that madvise_update_vma uses the naked name rather
> > than the encapsulated anon_vma_name? This really just begs for problems.
> 
> The reason for that is the second place it's being used from the prctl syscall:
> 
> prctl_set_vma
>   madvise_set_anon_name
>     madvise_vma_anon_name
>       madvise_update_vma
> 
> In that case the name parameter is not part of any anon_vma_name
> struct and therefore is stable. I can add a comment to
> madvise_update_vma indicating that the name parameter has to be stable
> if that helps.

Seems to me it'd simplify things if replace_vma_anon_name() and
madvise_vma_anon_name() took a struct anon_vma_name instead of
a bare char *.  You could construct it in madvise_set_anon_name().