Received: by 10.213.65.68 with SMTP id h4csp4289016imn; Tue, 10 Apr 2018 12:21:28 -0700 (PDT) X-Google-Smtp-Source: AIpwx49a1Ea0N4cXhL7/907lhFLMfqPkr8gHpCVxtSjhojeqdtB16YWMaGGPUNMy2NDyVIM/F6um X-Received: by 2002:a17:902:aa98:: with SMTP id d24-v6mr1737017plr.220.1523388088515; Tue, 10 Apr 2018 12:21:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523388088; cv=none; d=google.com; s=arc-20160816; b=yZRT3bDoqdWoVZFaTRyA0uOVAYC01mXDYgjy9uMm2TMw3lf4p/aIeG0GqisagkbHjw NsnhE72BdSZOpdsMYK9R57sj0ybN1H55JMH/VvFDqxWMhz/2kCeO2MrfsfXLmsS+/Ila 8wCitCBtIUaTlKoH4NgwJ8SiO/TgYyQTwjdGcT3oMoFuLnxHaM6dgWbD4BE7m0OxE3JB Burxg8jbdMh7mHH7DaEEXyfZKy6OBumiOn52mrJQE5WsYNz/bFeYJ6+r2m/grc7FBqOU CQDKPmzqus7SPfRcjhU5EJC55m1LxKZeX2hcsp819hBGf7atKXCzUkIDjVe7GrGoRk5f 8hBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=spdAOqbnG/pmoeompwzqgcpixlTHvOLK5WzuJtmB4P8=; b=AKgHERg39r8M23kmpNZBGFDZTXFLZY6FalQB2zVAwMKrjOCtU6y9aQb02+1jj4un+V M2R0UgwxmMtuu7snBSb1CeoSvipCeT7q/G4Vrv6YX6+Vs6bueab3Df9xf/gr83jz6lEd dxVLKxvhXzMQf1Hh/ffzSPylKfy31lZLG3c2vz5RBGmHjD3hgryGs7wK+KFHHddaE7AB 0fAypGOf+xzcjw9s6U8xED9+RyK+jkBbybeoDIqwrLKTbOxAX4iwquo3q+rcl6MzeBHw 0+EYfR4+OSbsX0fa4p2Oa+ql2WtBYZZkDgtvGGR9JeGGZZNlceIHQ89HGmO1wjw005qz LDEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=deCv+Cfo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7-v6si3477173plk.380.2018.04.10.12.20.48; Tue, 10 Apr 2018 12:21:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=deCv+Cfo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752498AbeDJTOS (ORCPT + 99 others); Tue, 10 Apr 2018 15:14:18 -0400 Received: from mail-pl0-f65.google.com ([209.85.160.65]:40549 "EHLO mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752057AbeDJTOQ (ORCPT ); Tue, 10 Apr 2018 15:14:16 -0400 Received: by mail-pl0-f65.google.com with SMTP id x4-v6so8138888pln.7; Tue, 10 Apr 2018 12:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=spdAOqbnG/pmoeompwzqgcpixlTHvOLK5WzuJtmB4P8=; b=deCv+CfoyGR0cxAaD98HarZs8KTrsydqD72JGTRQ6Dyu95tLEUyh5B0TcHTDDN5Bhy +AYgd/yX2rqFkU4/uVsUpXAJlqUVGCLEerLrC6uOHn/C+fpyGB9olwOqlSEj7mtsrvzK lZ04wRpPVLMxQ7cEvx52msk5HhcxKtq/BQbmGgZakhNSyvjsUgMXGccX69H9tk0Di50U /r//Kbg92qxAyLdnEuopz30gob4efF7BgmeC7mvqNbhKEHUUGqiJAfRqHBlBfeNIX71Z AFt4q2LydVM6Dmj79h5NisHCXS2A50CHJPpVnqRKcM2tI/dq2UZZxs8hNgUwsZ8J00OM M90g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=spdAOqbnG/pmoeompwzqgcpixlTHvOLK5WzuJtmB4P8=; b=YediBk5aSUTnjEw9gpjbVUjgob3flxU0fAkkvFyCR53aPmbuw/1wJZihFZ6pQX4znV UI0W0ygAEzdnJ4sDp/+gu+hUeMk/NWj6yDd8noSfy7z0op0SjRDSWFj/mQ06dLPHlbis tMZoI6Sh551pstgSRs5+JVjk4pKv3jWuFBMZ4K3+676PnrtFaJU0JUbIMh8I+o1j/3Vp JrHZPgAE0EoIix/tkziHi4KSU4yDRwkSWxXF/fNsP6/Iz7VgF9ntNQ1Lq1T6xFTSy/vZ w68NN5HAeIISe40ffPxoQs/B+A4HN9GK3p8Xsc0n3JIhmZ2W610JVTy97dDDI/1JIkWL YBjQ== X-Gm-Message-State: ALQs6tBvIzAejpW/s0g3i/MwMswSd5QsxQTphWUcAptv0VRXmUa0H3SZ XwVP2mVUkVHPUehuh4OdZRk= X-Received: by 2002:a17:902:7e42:: with SMTP id a2-v6mr1682268pln.13.1523387655901; Tue, 10 Apr 2018 12:14:15 -0700 (PDT) Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id z27sm8342701pff.7.2018.04.10.12.14.14 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 10 Apr 2018 12:14:14 -0700 (PDT) Date: Tue, 10 Apr 2018 12:14:13 -0700 From: Eric Biggers To: "Kirill A. Shutemov" Cc: Davidlohr Bueso , linux-mm@kvack.org, Andrew Morton , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, "Kirill A . Shutemov" , Manfred Spraul , "Eric W . Biederman" , syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages() Message-ID: <20180410191413.GA214391@gmail.com> References: <94eb2c06f65e5e2467055d036889@google.com> <20180409043039.28915-1-ebiggers3@gmail.com> <20180409094813.bsjc3u2hnsrdyiuk@black.fi.intel.com> <20180409185016.GA203367@gmail.com> <20180409201232.3rweldbjtvxjj5ql@linux-n805> <20180409203635.GD203367@gmail.com> <20180410075822.wspmi4imsp3s7m27@node.shutemov.name> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180410075822.wspmi4imsp3s7m27@node.shutemov.name> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 10, 2018 at 10:58:22AM +0300, Kirill A. Shutemov wrote: > On Mon, Apr 09, 2018 at 01:36:35PM -0700, Eric Biggers wrote: > > On Mon, Apr 09, 2018 at 01:12:32PM -0700, Davidlohr Bueso wrote: > > > On Mon, 09 Apr 2018, Eric Biggers wrote: > > > > > > > It's necessary because if we don't hold a reference to sfd->file, then it can be > > > > a stale pointer when we compare it in __shm_open(). In particular, if the new > > > > struct file happened to be allocated at the same address as the old one, then > > > > 'sfd->file == shp->shm_file' so the mmap would be allowed. But, it will be a > > > > different shm segment than was intended. The caller may not even have > > > > permissions to map it normally, yet it would be done anyway. > > > > > > > > In the end it's just broken to have a pointer to something that can be freed out > > > > from under you... > > > > > > So this is actually handled by shm_nattch, serialized by the ipc perm->lock. > > > shm_destroy() is called when 0, which in turn does the fput(shm_file). Note > > > that shm_file is given a count of 1 when a new segment is created (deep in > > > get_empty_filp()). So I don't think the pointer is going anywhere, or am I missing > > > something? > > > > > > Thanks, > > > Davidlohr > > > > In the remap_file_pages() case, a reference is taken to the ->vm_file, then the > > segment is unmapped. If that brings ->shm_nattch to 0, then the underlying shm > > segment and ID can be removed, which (currently) causes the real shm file to be > > freed. But, the outer file still exists and will have ->mmap() called on it. > > That's why the outer file needs to hold a reference to the real shm file. > > Okay, fair enough. Logic in SysV IPC implementation is often hard to follow. > Could you include the description in the commit message? > > And feel free to use my > > Acked-by: Kirill A. Shutemov > I'll send v2 to update the commit message and add a comment. Thanks, Eric