Received: by 10.213.65.68 with SMTP id h4csp2960850imn; Mon, 9 Apr 2018 11:54:05 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/9nMrlsHD5fvsakKEqZFXQv6zEUg+fmpMA8rYd7cnDsvdENevceaWgs9oOxdo55Olk8Pyd X-Received: by 10.98.157.6 with SMTP id i6mr146656pfd.52.1523300045841; Mon, 09 Apr 2018 11:54:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523300045; cv=none; d=google.com; s=arc-20160816; b=j7US1E2H2try1Xsb1kOyhMOIUC4QbF4GSfZas2N0E4gngsyYnHb5zONy9ZXUGYP1Nb aEu7bMv75EdaHnpIsnjMWcXPbAAk3cOfUJfPVHZ9oRc7pTw8YKKm1LWt+MSafLGSpbpp SsZmb4HSRUuqM3j3t90rq2V1hk3v4IWSPOrxdHPYdwIZUtJwsDyopD3aRzB7M+vPjhks xbAzhnU2UhgqW0WCQjHX7XZ6UpwdHbL5fWjTqAtMHCtioxPBNMmWWnjJMbLxIK7davkJ SqXB6mXpZOSd+n19bwcwzmbZ2hmZCcvG26a6JWpcHf7Kaw3aCLfJ24x8N64dKyYlUkIq iMGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=uIQay03hzXvKxymd4EFITlxhqAwtc5mFHL6YFiP7W+I=; b=1G+5e7GE4wIKRTbbEc+R1CI3LsF6KJs6k2XlS4wU8I0BtYfdy91/nAqmj4Jj1NKqHU YxmIAhPPJJewjZczn5BZo3Vr7ZUrN/9IYI1GbBH++CYAQU7UHnehdoYO21mbgr8LlShr sjTLDhV084Wq/YzBO4Rf/dZxXq9aVZPpusWXLGNivoyVklTaKepDctpHhdStGrs+LzHr O+x02jlbOEE2bvy2/3Q6JU/C44aWUmx/Qe9OGkXHiBDqTsm/3/qXID7Rr2V68BsChn8a HgU1iU0mu+0gY3ZhZf7WsmaEeZsEjAGqt0ZNw94qKXmrlvVx73+HfHBj5MYbzbtyfAyX UWEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GMFUgfHj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si579975pga.730.2018.04.09.11.53.28; Mon, 09 Apr 2018 11:54:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GMFUgfHj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752988AbeDISuV (ORCPT + 99 others); Mon, 9 Apr 2018 14:50:21 -0400 Received: from mail-pl0-f68.google.com ([209.85.160.68]:37932 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751767AbeDISuT (ORCPT ); Mon, 9 Apr 2018 14:50:19 -0400 Received: by mail-pl0-f68.google.com with SMTP id c7-v6so2478304plr.5; Mon, 09 Apr 2018 11:50:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=uIQay03hzXvKxymd4EFITlxhqAwtc5mFHL6YFiP7W+I=; b=GMFUgfHj0CVOYWmb7NXJe342vGddZzEVYxbePgEvC4JjPIUVD36ehRIA1ZhecvLw+2 NYPS3qNClF53jrQcYRvHyY41RFNAUGhQ7AJcgGs2GUDa5tcQTdFc476zZ3CK7sCrKHdo ZRo+DOGMOIU7m0nqHiRur3p069Hc3N2JjJNa29Ou+7ZTwt4pa3jP3Wdu+RKagxcWnbjz ZHPAEqU4MEejNLMUcasRTYHvIUqFf5bivvMxgZkGNgGVg0Oy8zTcSi4V5ETxn76rzhRu T937Nr81AbdBCREglpcbCLh7oq2wCCKSNJGlyZSkg2uHbq/EBdzZ2JwRW9LfYVqP0pD0 n3nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=uIQay03hzXvKxymd4EFITlxhqAwtc5mFHL6YFiP7W+I=; b=j2ZknhHHhL/1GvXbMvG0qsqYSdKXT3k0cUzAAimwraQZRoV2ZSVBDvO4D8hmqfH2fw G+LrmofwkP/vDTNNPdW7BzpInWAC85cmlCJCknhftwblR7+L7BHp1U/GlNTafNEk5P09 5FKBE3r1A/IQKJqutEEYm13W22NlmASykh6vCt8jLG2QaoxkqNhj6h2/bxeN1Kv1EgEZ vf7Q0raeSGZl2gbqY5NI8IQww4BPZHTE8/B8AatUc+lLX3SR2xilyUHcZrxwe2qcQz5T sy4cZ4tGRJI4FsbknqiUEkVimpK7HkjX/yf+WatMOsm2ry5Na4ydDRIvKBqx+qZTRfSX wmZQ== X-Gm-Message-State: ALQs6tBFUhdslU2GbFAFvVyQuc/XudS0lmcob3Lf8Um4Ox39A8PaYsoM /lkjJQK6V4gSU1W7J/7rtfg= X-Received: by 2002:a17:902:5a3:: with SMTP id f32-v6mr26424259plf.287.1523299818715; Mon, 09 Apr 2018 11:50:18 -0700 (PDT) Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id z127sm1789747pfb.72.2018.04.09.11.50.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Apr 2018 11:50:17 -0700 (PDT) Date: Mon, 9 Apr 2018 11:50:16 -0700 From: Eric Biggers To: "Kirill A. Shutemov" Cc: linux-mm@kvack.org, Andrew Morton , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Davidlohr Bueso , Manfred Spraul , "Eric W . Biederman" , syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages() Message-ID: <20180409185016.GA203367@gmail.com> References: <94eb2c06f65e5e2467055d036889@google.com> <20180409043039.28915-1-ebiggers3@gmail.com> <20180409094813.bsjc3u2hnsrdyiuk@black.fi.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180409094813.bsjc3u2hnsrdyiuk@black.fi.intel.com> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 09, 2018 at 12:48:14PM +0300, Kirill A. Shutemov wrote: > On Mon, Apr 09, 2018 at 04:30:39AM +0000, Eric Biggers wrote: > > diff --git a/ipc/shm.c b/ipc/shm.c > > index acefe44fefefa..c80c5691a9970 100644 > > --- a/ipc/shm.c > > +++ b/ipc/shm.c > > @@ -225,6 +225,12 @@ static int __shm_open(struct vm_area_struct *vma) > > if (IS_ERR(shp)) > > return PTR_ERR(shp); > > > > + if (shp->shm_file != sfd->file) { > > + /* ID was reused */ > > + shm_unlock(shp); > > + return -EINVAL; > > + } > > + > > shp->shm_atim = ktime_get_real_seconds(); > > ipc_update_pid(&shp->shm_lprid, task_tgid(current)); > > shp->shm_nattch++; > > @@ -455,8 +461,9 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma) > > int ret; > > > > /* > > - * In case of remap_file_pages() emulation, the file can represent > > - * removed IPC ID: propogate shm_lock() error to caller. > > + * In case of remap_file_pages() emulation, the file can represent an > > + * IPC ID that was removed, and possibly even reused by another shm > > + * segment already. Propagate this case as an error to caller. > > */ > > ret = __shm_open(vma); > > if (ret) > > @@ -480,6 +487,7 @@ static int shm_release(struct inode *ino, struct file *file) > > struct shm_file_data *sfd = shm_file_data(file); > > > > put_ipc_ns(sfd->ns); > > + fput(sfd->file); > > shm_file_data(file) = NULL; > > kfree(sfd); > > return 0; > > @@ -1432,7 +1440,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, > > file->f_mapping = shp->shm_file->f_mapping; > > sfd->id = shp->shm_perm.id; > > sfd->ns = get_ipc_ns(ns); > > - sfd->file = shp->shm_file; > > + sfd->file = get_file(shp->shm_file); > > sfd->vm_ops = NULL; > > > > err = security_mmap_file(file, prot, flags); > > Hm. Why do we need sfd->file refcounting now? It's not obvious to me. > > Looks like it's either a separate bug or an unneeded change. > It's necessary because if we don't hold a reference to sfd->file, then it can be a stale pointer when we compare it in __shm_open(). In particular, if the new struct file happened to be allocated at the same address as the old one, then 'sfd->file == shp->shm_file' so the mmap would be allowed. But, it will be a different shm segment than was intended. The caller may not even have permissions to map it normally, yet it would be done anyway. In the end it's just broken to have a pointer to something that can be freed out from under you... - Eric