From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, zhong jiang <zhongjiang@huawei.com>,
Michal Hocko <mhocko@suse.com>, Minchan Kim <minchan@kernel.org>,
Vlastimil Babka <vbabka@suse.cz>,
David Rientjes <rientjes@google.com>,
Mel Gorman <mgorman@techsingularity.net>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 10/20] mm/mempolicy: fix use after free when calling get_mempolicy
Date: Tue, 22 Aug 2017 12:09:53 -0700 [thread overview]
Message-ID: <20170822190915.774024018@linuxfoundation.org> (raw)
In-Reply-To: <20170822190915.345029476@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhong jiang <zhongjiang@huawei.com>
commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream.
I hit a use after free issue when executing trinity and repoduced it
with KASAN enabled. The related call trace is as follows.
BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
Read of size 2 by task syz-executor1/798
INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
__slab_alloc+0x768/0x970
kmem_cache_alloc+0x2e7/0x450
mpol_new.part.2+0x74/0x160
mpol_new+0x66/0x80
SyS_mbind+0x267/0x9f0
system_call_fastpath+0x16/0x1b
INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
__slab_free+0x495/0x8e0
kmem_cache_free+0x2f3/0x4c0
__mpol_put+0x2b/0x40
SyS_mbind+0x383/0x9f0
system_call_fastpath+0x16/0x1b
INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600
Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk.
Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........
Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
Memory state around the buggy address:
ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc
!shared memory policy is not protected against parallel removal by other
thread which is normally protected by the mmap_sem. do_get_mempolicy,
however, drops the lock midway while we can still access it later.
Early premature up_read is a historical artifact from times when
put_user was called in this path see https://lwn.net/Articles/124754/
but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
layering in the memory policy layer."). but when we have the the
current mempolicy ref count model. The issue was introduced
accordingly.
Fix the issue by removing the premature release.
Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mempolicy.c | 5 -----
1 file changed, 5 deletions(-)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -894,11 +894,6 @@ static long do_get_mempolicy(int *policy
*policy |= (pol->flags & MPOL_MODE_FLAGS);
}
- if (vma) {
- up_read(¤t->mm->mmap_sem);
- vma = NULL;
- }
-
err = 0;
if (nmask) {
if (mpol_store_user_nodemask(pol)) {
next prev parent reply other threads:[~2017-08-22 19:10 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-22 19:09 [PATCH 4.4 00/20] 4.4.84-stable review Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 01/20] netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 02/20] audit: Fix use after free in audit_remove_watch_rule() Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 03/20] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 04/20] crypto: x86/sha1 - Fix reads beyond the number of blocks passed Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 05/20] Input: elan_i2c - add ELAN0608 to the ACPI table Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 06/20] Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 07/20] ALSA: seq: 2nd attempt at fixing race creating a queue Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 08/20] ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 09/20] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices Greg Kroah-Hartman
2017-08-22 19:09 ` Greg Kroah-Hartman [this message]
2017-08-22 19:09 ` [PATCH 4.4 11/20] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 13/20] x86/asm/64: Clear AC on NMI entries Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 14/20] irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup() Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 15/20] irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup() Greg Kroah-Hartman
2017-08-22 19:09 ` [PATCH 4.4 16/20] Sanitize move_pages() permission checks Greg Kroah-Hartman
2017-08-22 19:10 ` [PATCH 4.4 17/20] pids: make task_tgid_nr_ns() safe Greg Kroah-Hartman
2017-08-22 19:10 ` [PATCH 4.4 18/20] perf/x86: Fix LBR related crashes on Intel Atom Greg Kroah-Hartman
2017-08-22 19:10 ` [PATCH 4.4 19/20] usb: optimize acpi companion search for usb port devices Greg Kroah-Hartman
2017-08-22 19:10 ` [PATCH 4.4 20/20] usb: qmi_wwan: add D-Link DWM-222 device ID Greg Kroah-Hartman
2017-08-23 0:36 ` [PATCH 4.4 00/20] 4.4.84-stable review Shuah Khan
2017-08-27 16:57 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170822190915.774024018@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@techsingularity.net \
--cc=mhocko@suse.com \
--cc=minchan@kernel.org \
--cc=rientjes@google.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=zhongjiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).