From patchwork Thu Feb 10 00:18:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Suren Baghdasaryan X-Patchwork-Id: 12741073 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A641C433EF for ; Thu, 10 Feb 2022 00:18:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DBEF96B0078; Wed, 9 Feb 2022 19:18:07 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D6DCF6B007B; Wed, 9 Feb 2022 19:18:07 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C35A86B007D; Wed, 9 Feb 2022 19:18:07 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.27]) by kanga.kvack.org (Postfix) with ESMTP id B3B506B0078 for ; Wed, 9 Feb 2022 19:18:07 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 72901203A0 for ; Thu, 10 Feb 2022 00:18:07 +0000 (UTC) X-FDA: 79124957814.05.C92DE1E Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) by imf09.hostedemail.com (Postfix) with ESMTP id 1573A14000D for ; Thu, 10 Feb 2022 00:18:06 +0000 (UTC) Received: by mail-yb1-f202.google.com with SMTP id j17-20020a25ec11000000b0061dabf74012so8368661ybh.15 for ; Wed, 09 Feb 2022 16:18:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=w6tX9+LQQBgQkkL2Bmc0Ipn0ZYxEiQaM6qO9zXS/sD4=; b=LyjUs12jFchRbYf+ASxBxNEsiClOdfJyVsWMQuJzQI0s4J1EDfEochhm9jtdOxvzSG swfXSCSS0eDITV/XVz2A7h3CdX6ZbRxSVNgEmyCBbGkuQ2vxRFseuHb8Ym9aOaID3Mq7 DCtuv5TJLO4how//y3nZ6OHBTV0CAVTNUpPpfv9okzd/ucPaM2YF3IjIq8z11SpkrhQS Oj/4q7ldfEpSIM/hKhG2eKnLRpaJT+KJk5ESLvNRoBLU+simsYvCINODJkCAfMbawKlY F1AFB6IWWoBOHHCcxoXxHayWcKC7nYbnauL6bqLdpZhJZojGa10aAsdRirLHqVKjV3sP GrUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=w6tX9+LQQBgQkkL2Bmc0Ipn0ZYxEiQaM6qO9zXS/sD4=; b=cfR03RhfltPgus+UDuqh5TW45ax6L4pFea3rYhQRgjecBC1i5pWMnia30tFSOjBwEF GNoxlsxXBBFuCPmNvDtpt/BSXRrIWmSd+i27rPA1DlukcRPAm8kt/JhsVA6Yn47kJOsf PHW4oo4Z8py91ju3MUJncmMeeFG/uGoCPiKmjbBf0ctFoa7/Rp6RbtJhmI3CiUs04bbJ WrQ4MZMngxPRJX00DJh75fumRgIhvuwQDcvB535ZNTnl9iB1zfzhQYfJyHCJuW4TUsG4 B6W4xU39rMIJz3EBxVbGWo9L1iW4U8LkY+ptjAD2GDGkuV/xnzzfQ+u/Y/RiHWVAXKgG byyA== X-Gm-Message-State: AOAM531080kaR9tqol3CmVlEPwV5G/3a8xy7F3ZWajhjoxAiiz0yPjX0 bJzRHi8ZyCYizDt9qFlOezlmWitwXIo= X-Google-Smtp-Source: ABdhPJxjQE6hDRgB3Yfh1egBA9CHmneYX+GIeGCDPvULa2hWWGNpM3Vp4gBNGaRiiDyaUPor7WTgh6F8ApM= X-Received: from surenb-desktop.mtv.corp.google.com ([2620:15c:211:200:17d2:7c05:7f59:da03]) (user=surenb job=sendgmr) by 2002:a81:4a07:: with SMTP id x7mr4764404ywa.245.1644452286222; Wed, 09 Feb 2022 16:18:06 -0800 (PST) Date: Wed, 9 Feb 2022 16:18:01 -0800 Message-Id: <20220210001801.15413-1-surenb@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.35.1.265.g69c8d7142f-goog Subject: [PATCH 1/1] mm: Fix UAF when anon vma name is used after vma is freed From: Suren Baghdasaryan To: akpm@linux-foundation.org Cc: ccross@google.com, sumit.semwal@linaro.org, mhocko@suse.com, dave.hansen@intel.com, keescook@chromium.org, willy@infradead.org, kirill.shutemov@linux.intel.com, vbabka@suse.cz, hannes@cmpxchg.org, ebiederm@xmission.com, brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, chris.hyser@oracle.com, dave@stgolabs.net, pcc@google.com, caoxiaofeng@yulong.com, david@redhat.com, gorcunov@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com, surenb@google.com, syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com X-Stat-Signature: a4oc3euby1uq8pm4x7r5m461ws31469j Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=LyjUs12j; spf=pass (imf09.hostedemail.com: domain of 3vlkEYgYKCJkLNK7G49HH9E7.5HFEBGNQ-FFDO35D.HK9@flex--surenb.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3vlkEYgYKCJkLNK7G49HH9E7.5HFEBGNQ-FFDO35D.HK9@flex--surenb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 1573A14000D X-HE-Tag: 1644452286-833831 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When adjacent vmas are being merged it can result in the vma that was originally passed to madvise_update_vma being destroyed. In the current implementation, the name parameter passed to madvise_update_vma points directly to vma->anon_name->name and it is used after the call to vma_merge. In the cases when vma_merge merges the original vma and destroys it, this will result in use-after-free bug as shown below: madvise_vma_behavior << passes vma->anon_name->name as name param madvise_update_vma(name) vma_merge __vma_adjust vm_area_free <-- frees the vma replace_vma_anon_name(name) <-- UAF Fix this by passing madvise_update_vma a copy of the name. Fixes: 9a10064f5625 ("mm: add a field to store names for private anonymous memory") Reported-by: syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Signed-off-by: Suren Baghdasaryan --- include/linux/mm.h | 2 ++ kernel/sys.c | 1 - mm/madvise.c | 14 +++++++++++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 213cc569b192..e3490be76f35 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3370,6 +3370,8 @@ static inline int seal_check_future_write(int seals, struct vm_area_struct *vma) return 0; } +#define ANON_VMA_NAME_MAX_LEN 80 + #ifdef CONFIG_ANON_VMA_NAME int madvise_set_anon_name(struct mm_struct *mm, unsigned long start, unsigned long len_in, const char *name); diff --git a/kernel/sys.c b/kernel/sys.c index ecc4cf019242..4cb6dc4bc09c 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2263,7 +2263,6 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, #ifdef CONFIG_ANON_VMA_NAME -#define ANON_VMA_NAME_MAX_LEN 80 #define ANON_VMA_NAME_INVALID_CHARS "\\`$[]" static inline bool is_valid_name_char(char ch) diff --git a/mm/madvise.c b/mm/madvise.c index 5604064df464..f36a5a9942d8 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -976,6 +976,8 @@ static int madvise_vma_behavior(struct vm_area_struct *vma, { int error; unsigned long new_flags = vma->vm_flags; + char name_buf[ANON_VMA_NAME_MAX_LEN]; + const char *anon_name; switch (behavior) { case MADV_REMOVE: @@ -1040,8 +1042,18 @@ static int madvise_vma_behavior(struct vm_area_struct *vma, break; } + anon_name = vma_anon_name(vma); + if (anon_name) { + /* + * Make a copy of the name because vma might be destroyed when + * merged with another one and the name parameter might be used + * after that. + */ + strcpy(name_buf, anon_name); + anon_name = name_buf; + } error = madvise_update_vma(vma, prev, start, end, new_flags, - vma_anon_name(vma)); + anon_name); out: /*