Received: by 10.213.65.68 with SMTP id h4csp3060841imn; Mon, 9 Apr 2018 13:40:15 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+OfA17s5YuAhacZAgBAe3LDuhXQimz0jMugfN8DMSSfye3PK1WNikTB4UagjEjLnFVSNQJ X-Received: by 10.99.119.2 with SMTP id s2mr19828030pgc.436.1523306415016; Mon, 09 Apr 2018 13:40:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523306414; cv=none; d=google.com; s=arc-20160816; b=Jk666a7p9K7F5P5IqdqUGubqe4KKrAFuKjGmdYFzNox2OHBOcKEy/00ZSp9QHUR6Gj izFvD+2q392Yq5cp21U3Mlb5GE/Jj9QpckfkczSpUovVJQsyw1iRokeggLcagVkKL0Ux 1uqP/cDIL+L6usq+jC69+O3Lbgs00L0l8jC7b6njxqKCiQG+xU+hDJYAkBeSlDOm1/Ov /SXOBY8kn+G5LL2hJFpp9jDUs4tJm/xd7vhFOrCbh58a08U0+IkCQ727wm6J1Wh8YlYx PpDcCjrNGzz+WtcntgXsXe8iLKBcg/0G+SB7dgCA/IE/YMJBOoua2fkWglYS7R1Sw+02 RtbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=m3uAcMmkZko7aWTpKtYzszOtnnB43jwHWVt4gZj5fo0=; b=hsm7jmUYj+2Q1rp023N1lhR6O5gY0Ume20FPbpaUI7vFUC6DCI1XsIuFts1nuaOrKq hIb9PLJ6hGfqMQyXBVKAMyxQhk/G1EtFPzSorwXlUgkcjK3nEG6aqYtoQxEIVH1XYTlI Bull5zKgTDbWvsGufdObmImGlAExFiP2WhZdQj6QEPz8Lz4+hgT/LZgqdPrZEH+KH8yZ aOs/gtaji/bV8MTEoreHVpSjqn2xnshPwW2W41HkrS9WlNB499uxJJ4uWIJhMrWRjBVG op4S/CYgKtiAE96Gvl2ZDou5yN8XSr5Mbc+kMFgWUVlzLps7TjjTuVCGNmOtgjNIQdQ5 JnpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GPeZCQJk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 16si812844pfk.71.2018.04.09.13.39.37; Mon, 09 Apr 2018 13:40:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GPeZCQJk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754539AbeDIUgl (ORCPT + 99 others); Mon, 9 Apr 2018 16:36:41 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:44918 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754076AbeDIUgi (ORCPT ); Mon, 9 Apr 2018 16:36:38 -0400 Received: by mail-pf0-f193.google.com with SMTP id p15so6377364pff.11; Mon, 09 Apr 2018 13:36:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=m3uAcMmkZko7aWTpKtYzszOtnnB43jwHWVt4gZj5fo0=; b=GPeZCQJkJgOnk2cuoNY3BQpl6msMy9b8Uw+hR6Lx5V0W35jDO+2mDFs25uixZmq59e ZT8i6uR+yKVaCjpGZleR0X2r7HF7C7qc6+wOrbkHCvKS11Yp5wy/r7x1jOJhDudz+LTE 4VzBdDCGHFOJ8VGkCo8GXA7WBIcw9ULL6CDCTDlRAcR6B6uXugSNcEBczPz91X83Ek5z 4dAh2+5c0fCqLRkF9sUllmmE3ro6dtbEwpjsdCSF5F11CpTfuEQLeWs47c3GzNYKzNmA fyHpKYafhZjtWW8w3XNFlAfDtunrqUO08733CPrdSLLUzZdwsH39TT05KuI9dULZQ1xj rpvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=m3uAcMmkZko7aWTpKtYzszOtnnB43jwHWVt4gZj5fo0=; b=PZWnbKkqfej/K81Ryao6VFS0X8U0DkaQDZ0tXzujXfTn2bXFnAjbrdC08owvGa3ng9 fPLz4PurZaRtLieZuY0LYQ19ifhhyx9cP5l6ymDss1C6W+TJSyvOPr/wQlxFgt9pTdNN Sz31T4D2LTMvDBmn3x45JtQu4P94hXxUCQnL2T8JDqV+wJ2yM/kB7QHBxBfGmBINLI8g TeWjnnVwn0uMbm4HcaQyG8AuaMjfGrUhJTsdH4pv38wLP11jc0dtrt46DtyXehK+fGC6 tF9nLLY71LvFSKp6MJo8Y7nMMJnsXa4l5fWskkEDHgMKHjIr0InBFd9cXZLcHqb/L6eX M7Sw== X-Gm-Message-State: AElRT7GR5/UHxa31EqK7UphgJE+DQ4UoupMMWG2JuyP/LkfI6K0xr/+w FI40I9TDzZzclENaV5k5zAU= X-Received: by 10.99.54.73 with SMTP id d70mr25429064pga.86.1523306197449; Mon, 09 Apr 2018 13:36:37 -0700 (PDT) Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id d199sm2043776pfd.95.2018.04.09.13.36.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Apr 2018 13:36:36 -0700 (PDT) Date: Mon, 9 Apr 2018 13:36:35 -0700 From: Eric Biggers To: Davidlohr Bueso Cc: linux-mm@kvack.org, Andrew Morton , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, "Kirill A . Shutemov" , Manfred Spraul , "Eric W . Biederman" , syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages() Message-ID: <20180409203635.GD203367@gmail.com> References: <94eb2c06f65e5e2467055d036889@google.com> <20180409043039.28915-1-ebiggers3@gmail.com> <20180409094813.bsjc3u2hnsrdyiuk@black.fi.intel.com> <20180409185016.GA203367@gmail.com> <20180409201232.3rweldbjtvxjj5ql@linux-n805> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180409201232.3rweldbjtvxjj5ql@linux-n805> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 09, 2018 at 01:12:32PM -0700, Davidlohr Bueso wrote: > On Mon, 09 Apr 2018, Eric Biggers wrote: > > > It's necessary because if we don't hold a reference to sfd->file, then it can be > > a stale pointer when we compare it in __shm_open(). In particular, if the new > > struct file happened to be allocated at the same address as the old one, then > > 'sfd->file == shp->shm_file' so the mmap would be allowed. But, it will be a > > different shm segment than was intended. The caller may not even have > > permissions to map it normally, yet it would be done anyway. > > > > In the end it's just broken to have a pointer to something that can be freed out > > from under you... > > So this is actually handled by shm_nattch, serialized by the ipc perm->lock. > shm_destroy() is called when 0, which in turn does the fput(shm_file). Note > that shm_file is given a count of 1 when a new segment is created (deep in > get_empty_filp()). So I don't think the pointer is going anywhere, or am I missing > something? > > Thanks, > Davidlohr In the remap_file_pages() case, a reference is taken to the ->vm_file, then the segment is unmapped. If that brings ->shm_nattch to 0, then the underlying shm segment and ID can be removed, which (currently) causes the real shm file to be freed. But, the outer file still exists and will have ->mmap() called on it. That's why the outer file needs to hold a reference to the real shm file. Eric