Received: by 10.213.65.68 with SMTP id h4csp3055173imn; Mon, 9 Apr 2018 13:32:56 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+n5nGdfIoxZZaT8v3Eyzsv46Mnur7qK2IbTt0yON6AJ62Et90bCINbh5qTnEreMPOeYxla X-Received: by 2002:a17:902:bf03:: with SMTP id bi3-v6mr5764739plb.368.1523305976715; Mon, 09 Apr 2018 13:32:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523305976; cv=none; d=google.com; s=arc-20160816; b=ekgy5NxhQNMMcYMxQsdwdssc9FLJd/KDNYhJwON3VCEwR6u1t7EcVCai0xPAMh/zB+ fVShF35f0Lc+tFlGzIemuqkgj+sC9lNRmp/pMo1m8B0PNA0Vha2jTHR4OlVzl82Pon1Z Elm8dEH0LPu3mWjGZLMHUBSvNZF7ef5vXkJhUgkAhQ1Ts4QRigMSgxn2M+vE1jUplWnh t/mnbhnQpyKvQONZtKDmZ6dpZnzcBF8VkrMoJfiU2of6WCUIPsreRedsBmZ4dXcgRIWI Fqjcbem87HNUUY3+2H0HEoZK4atDyzS6q7oI5ZRY2jDxzOm1DOvaPQ/4DnaW0tRyiiYy 90YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:arc-authentication-results; bh=I0bvWmFGRewVTX+U33WvHyP/kN2P0RmZNw8/d9/930o=; b=T5hpsSkEgxG0BLfbKwDaI2KBingCM4arfE7Oww35H8uJiOo11z5Sjk+5s+lX7fEIZR 3ditDC474dTxy0gO1ul9nPNuYrLsMqeX/upemaTWzN5BfX08WMHKU08lZsjgg+6sVEs5 Hsfd7aqp4QA+2o9XCXLY0g+gN6D+4yee/5DdTRKtny46lEw8+KZ24BQ4bWVyFSWQzH5t JiXdmnRziYELWMbjPK2mqS2BdKMzPtqnMQYYCnfP6CzSwJhNLzt0QfpOLDvdTScf6i4p qScvB+tpkqebMsVMgOIAnxMnTdwqWakvf1UIyCOUMCmxR1IwxJAvHyWNz/xkuzz1V9ID 2ZDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u9si665000pgc.790.2018.04.09.13.32.19; Mon, 09 Apr 2018 13:32:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754546AbeDIUZ6 (ORCPT + 99 others); Mon, 9 Apr 2018 16:25:58 -0400 Received: from mx2.suse.de ([195.135.220.15]:52471 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753704AbeDIUZz (ORCPT ); Mon, 9 Apr 2018 16:25:55 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 54E11AF75; Mon, 9 Apr 2018 20:25:54 +0000 (UTC) Date: Mon, 9 Apr 2018 13:12:32 -0700 From: Davidlohr Bueso To: Eric Biggers Cc: "Kirill A. Shutemov" , linux-mm@kvack.org, Andrew Morton , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Manfred Spraul , "Eric W . Biederman" , syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages() Message-ID: <20180409201232.3rweldbjtvxjj5ql@linux-n805> Mail-Followup-To: Eric Biggers , "Kirill A. Shutemov" , linux-mm@kvack.org, Andrew Morton , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Manfred Spraul , "Eric W . Biederman" , syzkaller-bugs@googlegroups.com References: <94eb2c06f65e5e2467055d036889@google.com> <20180409043039.28915-1-ebiggers3@gmail.com> <20180409094813.bsjc3u2hnsrdyiuk@black.fi.intel.com> <20180409185016.GA203367@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20180409185016.GA203367@gmail.com> User-Agent: NeoMutt/20170421 (1.8.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 09 Apr 2018, Eric Biggers wrote: >It's necessary because if we don't hold a reference to sfd->file, then it can be >a stale pointer when we compare it in __shm_open(). In particular, if the new >struct file happened to be allocated at the same address as the old one, then >'sfd->file == shp->shm_file' so the mmap would be allowed. But, it will be a >different shm segment than was intended. The caller may not even have >permissions to map it normally, yet it would be done anyway. > >In the end it's just broken to have a pointer to something that can be freed out >from under you... So this is actually handled by shm_nattch, serialized by the ipc perm->lock. shm_destroy() is called when 0, which in turn does the fput(shm_file). Note that shm_file is given a count of 1 when a new segment is created (deep in get_empty_filp()). So I don't think the pointer is going anywhere, or am I missing something? Thanks, Davidlohr