Revision - 73223e4 - mm/mempolicy: fix use after free when calling get_mempolicy

Revision 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 authored by zhong jiang on 18 August 2017, 22:16:24 UTC, committed by Linus Torvalds on 18 August 2017, 22:32:02 UTC

mm/mempolicy: fix use after free when calling get_mempolicy

I hit a use after free issue when executing trinity and repoduced it
with KASAN enabled.  The related call trace is as follows.

  BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
  Read of size 2 by task syz-executor1/798

  INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
     __slab_alloc+0x768/0x970
     kmem_cache_alloc+0x2e7/0x450
     mpol_new.part.2+0x74/0x160
     mpol_new+0x66/0x80
     SyS_mbind+0x267/0x9f0
     system_call_fastpath+0x16/0x1b
  INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
     __slab_free+0x495/0x8e0
     kmem_cache_free+0x2f3/0x4c0
     __mpol_put+0x2b/0x40
     SyS_mbind+0x383/0x9f0
     system_call_fastpath+0x16/0x1b
  INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
  INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600

  Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
  Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
  Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5                          kkkkkkk.
  Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb                          ........
  Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
  Memory state around the buggy address:
  ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc

!shared memory policy is not protected against parallel removal by other
thread which is normally protected by the mmap_sem.  do_get_mempolicy,
however, drops the lock midway while we can still access it later.

Early premature up_read is a historical artifact from times when
put_user was called in this path see https://lwn.net/Articles/124754/
but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
layering in the memory policy layer.").  but when we have the the
current mempolicy ref count model.  The issue was introduced
accordingly.

Fix the issue by removing the premature release.

Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: <stable@vger.kernel.org>	[2.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent da094e4

Files
Changes

Permalinks

highuid.txt

===================================================
Notes on the change from 16-bit UIDs to 32-bit UIDs
===================================================

:Author: Chris Wing <wingc@umich.edu>
:Last updated: January 11, 2000

- kernel code MUST take into account __kernel_uid_t and __kernel_uid32_t
  when communicating between user and kernel space in an ioctl or data
  structure.

- kernel code should use uid_t and gid_t in kernel-private structures and
  code.

What's left to be done for 32-bit UIDs on all Linux architectures:

- Disk quotas have an interesting limitation that is not related to the
  maximum UID/GID. They are limited by the maximum file size on the
  underlying filesystem, because quota records are written at offsets
  corresponding to the UID in question.
  Further investigation is needed to see if the quota system can cope
  properly with huge UIDs. If it can deal with 64-bit file offsets on all 
  architectures, this should not be a problem.

- Decide whether or not to keep backwards compatibility with the system
  accounting file, or if we should break it as the comments suggest
  (currently, the old 16-bit UID and GID are still written to disk, and
  part of the former pad space is used to store separate 32-bit UID and
  GID)

- Need to validate that OS emulation calls the 16-bit UID
  compatibility syscalls, if the OS being emulated used 16-bit UIDs, or
  uses the 32-bit UID system calls properly otherwise.

  This affects at least:

	- iBCS on Intel

	- sparc32 emulation on sparc64
	  (need to support whatever new 32-bit UID system calls are added to
	  sparc32)

- Validate that all filesystems behave properly.

  At present, 32-bit UIDs _should_ work for:

	- ext2
	- ufs
	- isofs
	- nfs
	- coda
	- udf

  Ioctl() fixups have been made for:

	- ncpfs
	- smbfs

  Filesystems with simple fixups to prevent 16-bit UID wraparound:

	- minix
	- sysv
	- qnx4

  Other filesystems have not been checked yet.

- The ncpfs and smpfs filesystems cannot presently use 32-bit UIDs in
  all ioctl()s. Some new ioctl()s have been added with 32-bit UIDs, but
  more are needed. (as well as new user<->kernel data structures)

- The ELF core dump format only supports 16-bit UIDs on arm, i386, m68k,
  sh, and sparc32. Fixing this is probably not that important, but would
  require adding a new ELF section.

- The ioctl()s used to control the in-kernel NFS server only support
  16-bit UIDs on arm, i386, m68k, sh, and sparc32.

- make sure that the UID mapping feature of AX25 networking works properly
  (it should be safe because it's always used a 32-bit integer to
  communicate between user and kernel)

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...