Re: [PATCH] mm/mempolicy: Fix use-after-free of VMA iterator

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sven Schnelle <svens@linux.ibm.com>
To: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	syzbot+a7c1ec5b1d71ceaa5186@syzkaller.appspotmail.com,
	stable@vger.kernel.org, linux-s390@vger.kernel.org
Subject: Re: [PATCH] mm/mempolicy: Fix use-after-free of VMA iterator
Date: Mon, 01 May 2023 20:24:48 +0200	[thread overview]
Message-ID: <yt9da5yn7vv3.fsf@linux.ibm.com> (raw)
In-Reply-To: <5066f333-5021-451d-abdd-07a027d98820@lucifer.local> (Lorenzo Stoakes's message of "Sun, 30 Apr 2023 14:35:00 +0100")

Lorenzo Stoakes <lstoakes@gmail.com> writes:

> On Thu, Apr 27, 2023 at 01:32:47PM -0400, Liam R. Howlett wrote:
>> * Sven Schnelle <svens@linux.ibm.com> [230427 02:53]:
>> > "Liam R. Howlett" <Liam.Howlett@oracle.com> writes:
>> >
>> > > set_mempolicy_home_node() iterates over a list of VMAs and calls
>> > > mbind_range() on each VMA, which also iterates over the singular list of
>> > > the VMA passed in and potentially splits the VMA.  Since the VMA
>> > > iterator is not passed through, set_mempolicy_home_node() may now point
>> > > to a stale node in the VMA tree.  This can result in a UAF as reported
>> > > by syzbot.
>> > >
>> > > Avoid the stale maple tree node by passing the VMA iterator through to
>> > > the underlying call to split_vma().
>> > >
>> > > mbind_range() is also overly complicated, since there are two calling
>> > > functions and one already handles iterating over the VMAs.  Simplify
>> > > mbind_range() to only handle merging and splitting of the VMAs.
>> > >
>> > > Align the new loop in do_mbind() and existing loop in
>> > > set_mempolicy_home_node() to use the reduced mbind_range() function.
>> > > This allows for a single location of the range calculation and avoids
>> > > constantly looking up the previous VMA (since this is a loop over the
>> > > VMAs).
>> > >
>> > > Link: https://lore.kernel.org/linux-mm/000000000000c93feb05f87e24ad@google.com/
>> > > Reported-and-tested-by: syzbot+a7c1ec5b1d71ceaa5186@syzkaller.appspotmail.com
>> > > Fixes: 66850be55e8e ("mm/mempolicy: use vma iterator & maple state instead of vma linked list")
>> > > Cc: <stable@vger.kernel.org>
>> > > Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
>> > > ---
>> >
>> > This breaks the vma02 testcase from ltp on s390:
>> >
>> >  ~ # ./vma02
>> > vma02       0  TINFO  :  pid = 617 addr = 0x3ff8f673000
>> > vma02       0  TINFO  :  start = 0x3ff8f673000, end = 0x3ff8f674000
>> > vma02       0  TINFO  :  start = 0x3ff8f674000, end = 0x3ff8f675000
>> > vma02       0  TINFO  :  start = 0x3ff8f675000, end = 0x3ff8f676000
>> > vma02       1  TFAIL  :  vma02.c:144: >1 unmerged VMAs.
>> > Any thoughts?
>>
>> No thoughts that I should share.
>>
>> I will have to boot my s390 (vm) and have a look.
>>
>> Thanks for letting me know.
>>
>> Regards,
>> Liam
>
> I tracked down what this (almost certainly) was + added fix in [1] as it
> popped up as a 6.2.y stable bug. It doesn't seem arch-specific so you can
> put that s390 down :)
>
> [1]:https://lore.kernel.org/all/db42467a692d78c654ec5c1953329401bd8a9c34.1682859234.git.lstoakes@gmail.com/

Thanks, just tested, and it solves the issue for me.

     prev parent reply	other threads:[~2023-05-01 18:25 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-10 15:22 [PATCH] mm/mempolicy: Fix use-after-free of VMA iterator Liam R. Howlett
2023-04-27  6:52 ` Sven Schnelle
2023-04-27 17:32   ` Liam R. Howlett
2023-04-30 13:35     ` Lorenzo Stoakes
2023-05-01 18:24       ` Sven Schnelle [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=yt9da5yn7vv3.fsf@linux.ibm.com \
    --to=svens@linux.ibm.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=lstoakes@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+a7c1ec5b1d71ceaa5186@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox