Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp897577pxb; Tue, 1 Feb 2022 12:42:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJzAQ7QnIZN+drmtsn6IxB4yMjkUkiSNOD7Uf/3aHQplYwi4z9Q7m06oIkFvKJyTsfmkJA/7 X-Received: by 2002:a63:6a48:: with SMTP id f69mr6783240pgc.521.1643748151321; Tue, 01 Feb 2022 12:42:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643748151; cv=none; d=google.com; s=arc-20160816; b=c1nHpwsrPre++9zuFeBFvZukn9A1FOCE5yjee8ARKzTYNAANEBRCHrcpMAvTmuFn/I vksDLeXBP8fAkXz6uqr4wz9Xp1MCEaHYhAxydHxN7GFhpyKgVmzktTwfNlmcSEmd9NEo zPR316Dh/8OKnqyOq9T07KPid2lLpHGg1YYK5Gkn2XUj3WXTfVH6uSdGZO4/j0qcM5Pb SeEqz78i3mxAI9+95dSU/ZGUNQeL1RrvHNXe7a97T8dbdje8CD9G84hHLHQmIKpq1KhX pfuN8bKmNBBU69MaIRjn13SLiPwZcO/O5FINuaz5G8cArxoEqzItESiwpVFUBFS3N9JT ksYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=UfqBL4TG7ayNTZqiM/UFFRcaqGRyJgYgZDocc/keuXE=; b=Zzbqg+fVddQ2L7Aak+Pyeb4Xmk8k9p67RK61NJYJA0bXamoVkncQlZM1yuF2Q3oWws O4bqzGu9UecvguDPm7VS6a7P2FHXlcmrLc5zOu2HmDlNA6i9iSoSjgNgLTLLf5aaD4Ku sEEsQq46bvJ+RwnnFY8akrNmiPZSwCh44dAUlS3URDcu7K1OzokIN8CrUzgrgkL0d2G1 RJ3TY1Lf0wOOsbZkqENYz4pAYCt/aTer+pxzf94FUXOnHEDtO7DuBiJ36Jw1f08iMf+s 6HXt25QKehO5jCCcnipvopU9uuc9yTHdUcHU8SwffU49Y1eVtH5pqs1BDOli9CWa01I1 ZUuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=pdxY7lVk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b16si18111147pfm.13.2022.02.01.12.42.19; Tue, 01 Feb 2022 12:42:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=pdxY7lVk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379746AbiAaPiK (ORCPT + 99 others); Mon, 31 Jan 2022 10:38:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379378AbiAaPiJ (ORCPT ); Mon, 31 Jan 2022 10:38:09 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FF7CC061714; Mon, 31 Jan 2022 07:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=UfqBL4TG7ayNTZqiM/UFFRcaqGRyJgYgZDocc/keuXE=; b=pdxY7lVkV8i5XKsTRwTPih2xVR hObQ4k8GZnvA9aH9H3Pn+0RqHhyKh6DAceJsmQjgJ2GVLbxoIbS70X6CS92wecZCbQ4sVKusW4TvU XBVZy9hIY5BWrPKNM06g5FZLjrA1KDwOnik4QohwjI0ZJQdG4paX29rMbX2CIP0ObGzJlkRxDj1Km JH7C/ZdArHnrdpKMD2+Sl+S9BuPgWTnEr6GDl7v2nQTM8Fc7o6rev3eyjDflH92ACCi89hVVlepu4 rigJgTP5Qax+B3//Dykv+R1Kcwud292QXpIQY14glJkQzjb/7ursNJmLZZADVepxSd0yu4rw5EyC9 gseOXp3Q==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1nEYkl-00A3gb-I7; Mon, 31 Jan 2022 15:38:03 +0000 From: "Matthew Wilcox (Oracle)" To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Alexander Viro Cc: "Matthew Wilcox (Oracle)" , Denys Vlasenko , Kees Cook , Eric Biederman , Jann Horn , Vlastimil Babka , "Liam R . Howlett" Subject: [PATCH] binfmt_elf: Take the mmap lock when walking the VMA list Date: Mon, 31 Jan 2022 15:37:40 +0000 Message-Id: <20220131153740.2396974-1-willy@infradead.org> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I'm not sure if the VMA list can change under us, but dump_vma_snapshot() is very careful to take the mmap_lock in write mode. We only need to take it in read mode here as we do not care if the size of the stack VMA changes underneath us. If it can be changed underneath us, this is a potential use-after-free for a multithreaded process which is dumping core. Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files") Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: Liam R. Howlett --- fs/binfmt_elf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 605017eb9349..dc2318355762 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1651,6 +1651,7 @@ static int fill_files_note(struct memelfnote *note) name_base = name_curpos = ((char *)data) + names_ofs; remaining = size - names_ofs; count = 0; + mmap_read_lock(mm); for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) { struct file *file; const char *filename; @@ -1661,6 +1662,7 @@ static int fill_files_note(struct memelfnote *note) filename = file_path(file, name_curpos, remaining); if (IS_ERR(filename)) { if (PTR_ERR(filename) == -ENAMETOOLONG) { + mmap_read_unlock(mm); kvfree(data); size = size * 5 / 4; goto alloc; @@ -1680,6 +1682,7 @@ static int fill_files_note(struct memelfnote *note) *start_end_ofs++ = vma->vm_pgoff; count++; } + mmap_read_unlock(mm); /* Now we know exact count of files, can store it */ data[0] = count; -- 2.34.1