NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly missing mm==NULL check)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly missing mm==NULL check)
@ 2012-04-23 22:44 Robert Święcki
  2012-04-24 14:23 ` Robert Święcki
  0 siblings, 1 reply; 3+ messages in thread
From: Robert Święcki @ 2012-04-23 22:44 UTC (permalink / raw)
  To: linux-kernel

mm/mempolicy.c
1362         mm = get_task_mm(task);
1363         put_task_struct(task);
1364         if (mm)
1365                 err = do_migrate_pages(mm, old, new,
1366                         capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL
: MPOL_MF_MOVE);
1367         else
1368                 err = -EINVAL;
1369
1370         mmput(mm);

Where mmput doesn't check for mm

kernel/fork.c
567 void mmput(struct mm_struct *mm)
568 {
569         might_sleep();
570
571         if (atomic_dec_and_test(&mm->mm_users)) {


causes NULL-ptr deref

(gdb) target remote /dev/ttyS0
Remote debugging using /dev/ttyS0
mmput (mm=0x0) at kernel/fork.c:571
571		if (atomic_dec_and_test(&mm->mm_users)) {

(gdb) bt
#0  mmput (mm=0x0) at kernel/fork.c:571
#1  0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
maxnode=<optimized out>, old_nodes=<optimized out>,
new_nodes=<optimized out>) at mm/mempolicy.c:1370
#2  0xffffffff820726c9 in ?? () at arch/x86/ia32/ia32entry.S:425


(gdb) up
#1  0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
maxnode=<optimized out>, old_nodes=<optimized out>,
new_nodes=<optimized out>) at mm/mempolicy.c:1370
1370		mmput(mm);
(gdb) p mm
$1 = (struct mm_struct *) 0x0
(gdb) p task->mm
$2 = (struct mm_struct *) 0x0


-- 
Robert Święcki

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly missing mm==NULL check)
  2012-04-23 22:44 NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly missing mm==NULL check) Robert Święcki
@ 2012-04-24 14:23 ` Robert Święcki
  2012-04-25 20:15   ` Dave Jones
  0 siblings, 1 reply; 3+ messages in thread
From: Robert Święcki @ 2012-04-24 14:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Christoph Lameter

On Tue, Apr 24, 2012 at 12:44 AM, Robert Święcki <robert@swiecki.net> wrote:
> mm/mempolicy.c
> 1362         mm = get_task_mm(task);
> 1363         put_task_struct(task);
> 1364         if (mm)
> 1365                 err = do_migrate_pages(mm, old, new,
> 1366                         capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL
> : MPOL_MF_MOVE);
> 1367         else
> 1368                 err = -EINVAL;
> 1369
> 1370         mmput(mm);
>
> Where mmput doesn't check for mm
>
> kernel/fork.c
> 567 void mmput(struct mm_struct *mm)
> 568 {
> 569         might_sleep();
> 570
> 571         if (atomic_dec_and_test(&mm->mm_users)) {
>
>
> causes NULL-ptr deref
>
> (gdb) target remote /dev/ttyS0
> Remote debugging using /dev/ttyS0
> mmput (mm=0x0) at kernel/fork.c:571
> 571             if (atomic_dec_and_test(&mm->mm_users)) {
>
> (gdb) bt
> #0  mmput (mm=0x0) at kernel/fork.c:571
> #1  0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
> maxnode=<optimized out>, old_nodes=<optimized out>,
> new_nodes=<optimized out>) at mm/mempolicy.c:1370
> #2  0xffffffff820726c9 in ?? () at arch/x86/ia32/ia32entry.S:425
>
>
> (gdb) up
> #1  0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
> maxnode=<optimized out>, old_nodes=<optimized out>,
> new_nodes=<optimized out>) at mm/mempolicy.c:1370
> 1370            mmput(mm);
> (gdb) p mm
> $1 = (struct mm_struct *) 0x0
> (gdb) p task->mm
> $2 = (struct mm_struct *) 0x0

Most likely caused by this patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3268c63eded4612a3d07b56d1e02ce7731e6608e

-- 
Robert Święcki

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly missing mm==NULL check)
  2012-04-24 14:23 ` Robert Święcki
@ 2012-04-25 20:15   ` Dave Jones
  0 siblings, 0 replies; 3+ messages in thread
From: Dave Jones @ 2012-04-25 20:15 UTC (permalink / raw)
  To: Robert Święcki; +Cc: linux-kernel, Christoph Lameter, linux-mm

Commit 3268c63eded4612a3d07b56d1e02ce7731e6608e introduced two potential NULL dereferences.
Move the mmput calls into the if arms that have already tested for a valid mm.

Reported-by: Robert Święcki <robert@swiecki.net>
Cc: Christoph Lameter <cl@linux.com>
Signed-off-by: Dave Jones <davej@redhat.com>

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index cfb6c86..6de4850 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1361,13 +1361,12 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
 
 	mm = get_task_mm(task);
 	put_task_struct(task);
-	if (mm)
+	if (mm) {
 		err = do_migrate_pages(mm, old, new,
 			capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
-	else
+		mmput(mm);
+	} else
 		err = -EINVAL;
-
-	mmput(mm);
 out:
 	NODEMASK_SCRATCH_FREE(scratch);
 
diff --git a/mm/migrate.c b/mm/migrate.c
index 51c08a0..d73d860 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1389,15 +1389,15 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
 	put_task_struct(task);
 
 	if (mm) {
-		if (nodes)
+		if (nodes) {
 			err = do_pages_move(mm, task_nodes, nr_pages, pages,
 					    nodes, status, flags);
-		else
+			mmput(mm);
+		} else
 			err = do_pages_stat(mm, nr_pages, pages, status);
 	} else
 		err = -EINVAL;
 
-	mmput(mm);
 	return err;
 
 out:

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-04-25 20:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-04-23 22:44 NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly missing mm==NULL check) Robert Święcki
2012-04-24 14:23 ` Robert Święcki
2012-04-25 20:15   ` Dave Jones

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox