From patchwork Thu Feb 10 04:32:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Suren Baghdasaryan X-Patchwork-Id: 12741251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EA26C433F5 for ; Thu, 10 Feb 2022 04:32:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 88DE96B0073; Wed, 9 Feb 2022 23:32:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 83C6C6B0074; Wed, 9 Feb 2022 23:32:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6DC956B0075; Wed, 9 Feb 2022 23:32:21 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.a.hostedemail.com [64.99.140.24]) by kanga.kvack.org (Postfix) with ESMTP id 5B2986B0073 for ; Wed, 9 Feb 2022 23:32:21 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 10E0B60C84 for ; Thu, 10 Feb 2022 04:32:21 +0000 (UTC) X-FDA: 79125598482.05.7C63F3E Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) by imf13.hostedemail.com (Postfix) with ESMTP id 84E0620005 for ; Thu, 10 Feb 2022 04:32:20 +0000 (UTC) Received: by mail-yb1-f201.google.com with SMTP id q11-20020a252a0b000000b0061e240c8fb3so5937943ybq.22 for ; Wed, 09 Feb 2022 20:32:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=E8K8TY3WQoynog2K9gwGq6HZDB3C8OmCo9KzOU7aa4U=; b=VEq3M9r04ewU0yeCOsrcI4pyk+UJTphQS82dmWEm3+OMDQREuGfAOz66hclRVOeZPD ZkC69UIzNyQi6XmZpcslNpsl2HEelRcVlEXaDRkt2aw3y45RBwGwxv4oFj5Gr81rkpnZ 4598402E+4Auf/fBvEb1Ioi/v/xEnobpA+UFSpdYQfKb0f5g09hnpQQdJUGOAkepQpqU zFll3rEYgI9LnfylK5231W2slHLyhBVMIhnsqyG/wWMHNJRWStBANCvFiL+Y9ix5O22I 3qMjxH8FHrqQ5rhhzvN9OTn5kn33m+nDDsm26bRLzAvDWbY8RHGDwr+3F4EX/Rlq9iAa kV3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=E8K8TY3WQoynog2K9gwGq6HZDB3C8OmCo9KzOU7aa4U=; b=s90c3wSkvTL7dLV4F2son/tjF2y1L9WKHd3SG1g2KyYilrBxqXeRJWdutcCdpTFLH6 D3VMhQzOg/lulsshyROkZbyIN86Jbe35ZpyNWBpwt0IGanv4MF2Qomfel2YLOpYAsy2o UmdfdHkfqhjBM6jq29DGwej+ubUOxmqnCST3Qf2piL1EGKhnF9wiB9KV16ZlDB0XC0Fl FC8R4OWsLLgZ2PZXkz3mSIEt55FF7+XebPfcWhf8yK6zpkJm4L1gzoV4ieG5f1ETUh5I BZLvmKR/KPM5SWEVvQ8q9sfN6tc/8a/A5aY//qqAKdffuNs31ZiVI9a2ln/IEXJTIZ57 tLFw== X-Gm-Message-State: AOAM530Ov1hBHl8zWF/5AZoKf6rigKhhcCzNYDpIZAyLMt07XRDuE+iM e3pXjtu8sGsMZruDCG3h2Vpg4d3zPIA= X-Google-Smtp-Source: ABdhPJwKTQEQto4N95ge0VYx34aTFFH/Juo7oMq89toei9Qj5rVoHC7Yc4AOA00i28n5/HaHyoRoWiP7jJE= X-Received: from surenb-desktop.mtv.corp.google.com ([2620:15c:211:200:17d2:7c05:7f59:da03]) (user=surenb job=sendgmr) by 2002:a25:8f92:: with SMTP id u18mr5679417ybl.446.1644467539833; Wed, 09 Feb 2022 20:32:19 -0800 (PST) Date: Wed, 9 Feb 2022 20:32:15 -0800 Message-Id: <20220210043215.42794-1-surenb@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.35.1.265.g69c8d7142f-goog Subject: [PATCH v2 1/1] mm: fix use-after-free when anon vma name is used after vma is freed From: Suren Baghdasaryan To: akpm@linux-foundation.org Cc: ccross@google.com, sumit.semwal@linaro.org, mhocko@suse.com, dave.hansen@intel.com, keescook@chromium.org, willy@infradead.org, kirill.shutemov@linux.intel.com, vbabka@suse.cz, hannes@cmpxchg.org, ebiederm@xmission.com, brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, chris.hyser@oracle.com, dave@stgolabs.net, pcc@google.com, caoxiaofeng@yulong.com, david@redhat.com, gorcunov@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com, surenb@google.com, syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=VEq3M9r0; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of 3U5UEYgYKCKYYaXKTHMUUMRK.IUSROTad-SSQbGIQ.UXM@flex--surenb.bounces.google.com designates 209.85.219.201 as permitted sender) smtp.mailfrom=3U5UEYgYKCKYYaXKTHMUUMRK.IUSROTad-SSQbGIQ.UXM@flex--surenb.bounces.google.com X-Rspamd-Server: rspam03 X-Rspam-User: X-Stat-Signature: 9anzuiwjkg5acb6qzoa1d3tqd8h8e44c X-Rspamd-Queue-Id: 84E0620005 X-HE-Tag: 1644467540-611480 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When adjacent vmas are being merged it can result in the vma that was originally passed to madvise_update_vma being destroyed. In the current implementation, the name parameter passed to madvise_update_vma points directly to vma->anon_name->name and it is used after the call to vma_merge. In the cases when vma_merge merges the original vma and destroys it, this will result in use-after-free bug as shown below: madvise_vma_behavior << passes vma->anon_name->name as name param madvise_update_vma(name) vma_merge __vma_adjust vm_area_free <-- frees the vma replace_vma_anon_name(name) <-- UAF Fix this by raising the name refcount and stabilizing it. Introduce vma_anon_name_{get/put} API for this purpose. Fixes: 9a10064f5625 ("mm: add a field to store names for private anonymous memory") Reported-by: syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Signed-off-by: Suren Baghdasaryan --- changes in v2: - Replaces name copying with refcounting and added vma_anon_name_{get/put} API, per Andrew Morton include/linux/mm_inline.h | 13 +++++++++++++ mm/madvise.c | 28 ++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h index b725839dfe71..2ad9b28499b1 100644 --- a/include/linux/mm_inline.h +++ b/include/linux/mm_inline.h @@ -145,6 +145,11 @@ static __always_inline void del_page_from_lru_list(struct page *page, */ extern const char *vma_anon_name(struct vm_area_struct *vma); +/* mmap_lock should be read-locked */ +extern struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma); + +extern void vma_anon_name_put(struct anon_vma_name *anon_name); + /* * mmap_lock should be read-locked for orig_vma->vm_mm. * mmap_lock should be write-locked for new_vma->vm_mm or new_vma should be @@ -176,6 +181,14 @@ static inline const char *vma_anon_name(struct vm_area_struct *vma) { return NULL; } + +static inline +struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma) +{ + return NULL; +} + +static inline void vma_anon_name_put(struct anon_vma_name *anon_name) {} static inline void dup_vma_anon_name(struct vm_area_struct *orig_vma, struct vm_area_struct *new_vma) {} static inline void free_vma_anon_name(struct vm_area_struct *vma) {} diff --git a/mm/madvise.c b/mm/madvise.c index 5604064df464..9cf069e574c0 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -103,6 +103,22 @@ const char *vma_anon_name(struct vm_area_struct *vma) return vma->anon_name->name; } +struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma) +{ + if (!has_vma_anon_name(vma)) + return NULL; + + mmap_assert_locked(vma->vm_mm); + + kref_get(&vma->anon_name->kref); + return vma->anon_name; +} + +void vma_anon_name_put(struct anon_vma_name *anon_name) +{ + kref_put(&anon_name->kref, vma_anon_name_free); +} + void dup_vma_anon_name(struct vm_area_struct *orig_vma, struct vm_area_struct *new_vma) { @@ -976,6 +992,7 @@ static int madvise_vma_behavior(struct vm_area_struct *vma, { int error; unsigned long new_flags = vma->vm_flags; + struct anon_vma_name *anon_name; switch (behavior) { case MADV_REMOVE: @@ -1040,8 +1057,15 @@ static int madvise_vma_behavior(struct vm_area_struct *vma, break; } - error = madvise_update_vma(vma, prev, start, end, new_flags, - vma_anon_name(vma)); + anon_name = vma_anon_name_get(vma); + if (anon_name) { + error = madvise_update_vma(vma, prev, start, end, new_flags, + anon_name->name); + vma_anon_name_put(anon_name); + } else { + error = madvise_update_vma(vma, prev, start, end, new_flags, + NULL); + } out: /*