From patchwork Wed Jul 26 21:41:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13328603 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EE77C001E0 for ; Wed, 26 Jul 2023 21:42:37 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1C46D8D0002; Wed, 26 Jul 2023 17:42:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1761F6B0072; Wed, 26 Jul 2023 17:42:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 03D798D0002; Wed, 26 Jul 2023 17:42:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id EB3C06B0071 for ; Wed, 26 Jul 2023 17:42:36 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id BD2CA403F3 for ; Wed, 26 Jul 2023 21:42:36 +0000 (UTC) X-FDA: 81055087512.10.6149C02 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by imf05.hostedemail.com (Postfix) with ESMTP id CDE57100014 for ; Wed, 26 Jul 2023 21:42:34 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=OYnxtY0l; spf=pass (imf05.hostedemail.com: domain of jannh@google.com designates 209.85.128.48 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690407754; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fA0Me8OSweYBjKfTeTvzrSFKTXO3COLTBAEvIA2gZco=; b=YbDKTOHPpn1rYEdsORsXDk6sQSh4KGKZ7oFK5icty1fbAcR6nKEXjTF7dB9g6MW0xxaHaL s70Thx51bXr7GXaxcMZAaDdjKJwNN2u6jEITWiHooNe/DDb+MQ87Nyk+OHrtmaXnX4THnD EI6pTI9Vsb9hSjrRt6QjX0/I3Q0ZdyI= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690407754; a=rsa-sha256; cv=none; b=z+mwSJss1iEWNDfKCkZgnXoLd4CJGX6eizpBIKlFG7hSAOP5+820E7KnTiZE32Ul9pd2bk M5pIoRN8V5QINLkj9UUd/DV+qb/VYQVRBiXbtrwbEtkSXeNV17wzDAH4qd/5z4uyF5Iq57 67DvOPhZBZyiZZSLd8nUAPnYTgZFi14= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=OYnxtY0l; spf=pass (imf05.hostedemail.com: domain of jannh@google.com designates 209.85.128.48 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-3fbb07e7155so29395e9.0 for ; Wed, 26 Jul 2023 14:42:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690407753; x=1691012553; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fA0Me8OSweYBjKfTeTvzrSFKTXO3COLTBAEvIA2gZco=; b=OYnxtY0lQuP4YPlQRqAUmtP3RMc8pfaHk2NfnpSIoIDi3PjLr3leyZSzd22GI5ecos mJGI5GscwkBgXyl1qaCtnGOD6nGS8VhZlwTm7slBxueZ7gebzjedpmw5tqTiTsjehOoH Ul10KCReJXIFOQDkUF3nK9lHTP73ydkyGa3oczkh6hHDJUJUFTW4NtSwqL755G+L7ogJ 0pHiJN+lx1hAwE6Afno47y5K6cX6udQIoua2oBuZwj0UtPD3gpCL3pIbuK7iEwOFnQfB xbzmbJ8VbPBQzMiYyZgC2E82sr+gqgGMe4e6lRAyf5cWPva1AHCgsQtO+mkAwhHyaF/r o2dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690407753; x=1691012553; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fA0Me8OSweYBjKfTeTvzrSFKTXO3COLTBAEvIA2gZco=; b=dWbPzWMwqKqMfaeBUruWuVNoLF2frECZ+SJnIN+o/M6Hda/FjGOQYJYmca45DCbHXp tSh1OW9iuXkral4KLfDxbh0Fi2MIctRgJINOBBVZAr5ri4tD3IXJ0e2xMMhz/2yCoXii WJlRYGW+CjuL+22PcVQpv2rM+UH04gAhMj68OUYJjdr8wATqedEqDRATT5Ud11uXujZs uhJx7EM4u0NE/MUSNVUxLxxZj/3+jXr0LX4N+X7dnV3DkF739i9BrVqNwV+gGZCqXYXy arNObOJuLMCPStZkCX5TIpKBYaCtFD985cjmme0EZBTvjIBqIEEVImGIBYu5aAAo2IO3 GMCA== X-Gm-Message-State: ABy/qLYAwny8H5gcBc0/Q8Qsznvfv0jMSeTVIta+oSuuXEyIhr42Z90M OJJeGnuEikv8Krd65vRizRzSgQ== X-Google-Smtp-Source: APBJJlF6Dq7xoEActnF1/g/rKskCj63rlqpHc/U+0oCDlz+EnM06XrCK1OzzM/6uuxJknTayVYMmaA== X-Received: by 2002:a05:600c:829:b0:3f1:6fe9:4a95 with SMTP id k41-20020a05600c082900b003f16fe94a95mr23971wmp.4.1690407753151; Wed, 26 Jul 2023 14:42:33 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:e8c:2042:5dec:b586]) by smtp.gmail.com with ESMTPSA id d4-20020adfe884000000b003144b95e1ecsm33480wrm.93.2023.07.26.14.42.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 14:42:32 -0700 (PDT) From: Jann Horn To: Andrew Morton Cc: Linus Torvalds , Peter Zijlstra , Suren Baghdasaryan , Matthew Wilcox , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alan Stern , Andrea Parri , Will Deacon , Boqun Feng , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes Subject: [PATCH 1/2] mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock Date: Wed, 26 Jul 2023 23:41:03 +0200 Message-ID: <20230726214103.3261108-3-jannh@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog In-Reply-To: <20230726214103.3261108-1-jannh@google.com> References: <20230726214103.3261108-1-jannh@google.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: CDE57100014 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: wxbf3hz3dhb8xx45rsno7dci1ukqboud X-HE-Tag: 1690407754-521903 X-HE-Meta: U2FsdGVkX1/NmY1AsqUdsQj/FVBRLnY2kkdHcoqdK72EiGlRn/m3/i/djtHdKIxB0F14Je3eHgKzKxJ5TJt0j95MFtggG5FcgK7WKMw1VUI/Rzi1NGuTn8WFr38aSQoOeVtUZMS3UgF3COgQYivrcskXFGXox5WF+ze0Gqkxx4azbn72JX3IbD0Ly5gzlTU8yWl4IK2MogpHqEi7++XVLeTTRAHMrUhEZfCEF3Bzli1yLXuV+OCzRL4EtbgDb61/tm4pV6skSJ2BBFnzm0CdcJ+wkNkAsQYrp8IBlT0qZlm5mGIEXNVxTPrCP8xGXUeabRZb1mG/wpJo9gDGg2Ek85D7nDqqOonCCFFpA0WB5FUb1BZz5X2OTbeBFR+Om8JSwsDG80PHjjEuL0NlPzu6Vrie4QOc9Oi5Jy3Bg1Kuu4/bJJAoevq2H16MN0SGnrnxzm4ERNLrmnVPPFkYK/kNcGRzUD8t70x1ZQoBLs+Kyn6mD/xAQoX6lvXB5vRbnWwjtFHSbg1OSae5Jprd4evMVWBgAnQRjt7FAfCLiOtruZKWgs4XpXw1ncrZ6RL7Prt5CfaXOIaRY8mkbyed4FJK6aknpM1+yhsKskJubjDvRsilLLlpqc0OcwL9BCO1sIIHLAFC/1cn+wVbBACdkJctOD2dau0Ckz9LqyxiUIhPUmJWQKjkLkhNdk13eO8aWP4ibpCnkk2H97x0fLXy+rKAkOT2uNoXEYudekLzmGKGQOcNiS9vX52bFoqWTMmctp6fdh8uoK4CXBFepB61tMkwAaVX1JM9bDYgGq8mHyAKOIVwSoG/2XOK0PDxtsfKl+yGLJqXlKxkpOAOa6H6hEKZgyCj4OwyXRJu4xv5chzHEtNsLey4gLo4qLD4HyQZ9BvDwEKR+T7lvs8jv+A77tjkqcCmI+D3YMi7uNwvOuUrjwHHPQrEds3w9JRooHqeBVfZsk372HOYoa+x599wqDD miMzlVTr +xEELSPzhw8fcm3DtSR+r0+OX6lm9G3DunGTcfXjAcyydIuC0z59+3iHWPrcu54Oy/VnnSfU6PVApKeGxI8DAnBIdYSLYpUTW6JQ1eF3N/QTVluUp0o4RQA8sizsCM6c5UBbNSre8+ChSPgJ4zkgWWplp5qtdbGvqErkIH0krcNMytobv+yMvLMmG0+1bhMYsvXM2SYIIKx+2/16TlBPTTcZQhplSSre3L8bLFq93gZhtj0YTaAr7orBwuXYPIjsTW2Ms1qh+6HEGL31kJNLW+azFv2PYBpiYS4kmIpzszVaEsvdG1c8Mq9ALX20WQC1LzJxdUzYnG0P85K5ZU6C7FGJVV6x4X+uP2y1/lqZupaeNUf3AnsDzQZxlmh/RXgX8z00L0B4n69wwLLsOG6a+EpL5apP4hshaGmHOHgTlk4e7TTwgwlX/g4MSoPyAamArjiM0oJLuyKBUgm8X5N9rC/IKOx42euxua1M9Lc1jTQcf0TXI11kniLEIsAAy1OVLFBdj77jliaLsB5s/BTBRZwb/UB9hR3GCL12I2qTryPjRQXoWaHDQu3+E/Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't be called in the VMA-locked page fault path by ensuring that vma->anon_vma is set. However, this check happens before the VMA is locked, which means a concurrent move_vma() can concurrently call unlink_anon_vmas(), which disassociates the VMA's anon_vma. This means we can get UAF in the following scenario: THREAD 1 THREAD 2 ======== ======== lock_vma_under_rcu() rcu_read_lock() mas_walk() check vma->anon_vma mremap() syscall move_vma() vma_start_write() unlink_anon_vmas() handle_mm_fault() __handle_mm_fault() handle_pte_fault() do_pte_missing() do_anonymous_page() anon_vma_prepare() __anon_vma_prepare() find_mergeable_anon_vma() mas_walk() [looks up VMA X] munmap() syscall (deletes VMA X) reusable_anon_vma() [called on freed VMA X] This is a security bug if you can hit it, although an attacker would have to win two races at once where the first race window is only a few instructions wide. This patch is based on some previous discussion with Linus Torvalds on the security list. Cc: stable@vger.kernel.org Fixes: 5e31275cc997 ("mm: add per-VMA lock and helper functions to control it") Signed-off-by: Jann Horn Reviewed-by: Suren Baghdasaryan --- mm/memory.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 01f39e8144ef..603b2f419948 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -5393,27 +5393,28 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, if (!vma_is_anonymous(vma) && !vma_is_tcp(vma)) goto inval; - /* find_mergeable_anon_vma uses adjacent vmas which are not locked */ - if (!vma->anon_vma && !vma_is_tcp(vma)) - goto inval; - if (!vma_start_read(vma)) goto inval; + /* + * find_mergeable_anon_vma uses adjacent vmas which are not locked. + * This check must happen after vma_start_read(); otherwise, a + * concurrent mremap() with MREMAP_DONTUNMAP could dissociate the VMA + * from its anon_vma. + */ + if (unlikely(!vma->anon_vma && !vma_is_tcp(vma))) + goto inval_end_read; + /* * Due to the possibility of userfault handler dropping mmap_lock, avoid * it for now and fall back to page fault handling under mmap_lock. */ - if (userfaultfd_armed(vma)) { - vma_end_read(vma); - goto inval; - } + if (userfaultfd_armed(vma)) + goto inval_end_read; /* Check since vm_start/vm_end might change before we lock the VMA */ - if (unlikely(address < vma->vm_start || address >= vma->vm_end)) { - vma_end_read(vma); - goto inval; - } + if (unlikely(address < vma->vm_start || address >= vma->vm_end)) + goto inval_end_read; /* Check if the VMA got isolated after we found it */ if (vma->detached) { @@ -5425,6 +5426,9 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, rcu_read_unlock(); return vma; + +inval_end_read: + vma_end_read(vma); inval: rcu_read_unlock(); count_vm_vma_lock_event(VMA_LOCK_ABORT);