Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp41063rdf; Thu, 2 Nov 2023 13:10:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGYPtNxp86vZG1f9hITSKCGQzqF/p9+Jvr40CqRIaU207K5E/tQSQSYSoC3iFR8yjs/R98G X-Received: by 2002:a17:90a:1991:b0:280:76ec:dc88 with SMTP id 17-20020a17090a199100b0028076ecdc88mr9772124pji.48.1698955840356; Thu, 02 Nov 2023 13:10:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698955840; cv=none; d=google.com; s=arc-20160816; b=E1p5odQv4BjIvxJkbSs+w7YOPWQI707Gio6iXfhEwyd8nFQ3m7bdxvYLi6ifvyYb23 NpwAvwkvPK7LuNXXCcrlbmksb+E+0ZBNtVG5Bk8vzBaZMOXXRr/5HQmbPyLzoDGgpc+Q K5g8GrEaLGNXm3aaHuWqBSof1bvdKuUbUUeIayii8OXTLoE0TGdL6iGN5K6Od7PFUL+k +NlyQl6cuNV/dPYu0UKiJqBJcD+zWwiD+4CByUrwADgJ8IKIHw+svYPZMGf/fJ5uEeMV B3nRbb2ViZQXlHaIRLiYC724YuBTajBYltlzoSKRorOM5nClm0MWvh1EJ97p3nZpLkQq lY9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=frbIFMcPahMuJnundehXBvpEDhaieyav7O9JILL7nRI=; fh=w25Uu9xh6EAWmF7CiJqoOnclREd+sNVCQxc+SL5D26A=; b=f1LG8FI3dJkFyoEXKwQYhY1gzZk1uNDE45jGoffiPXMuzZuU1hE9DztIIitDjSRllW 6kncG1EtJgNoPjLQvbhdDNf3hs9j8Il5zh4BMyglAIDJsjw58gN1WEhEqDBlm/VL6lEY w6lMjzCsp+xvvJU+8P/DvTpmBC0/bRYo9V6zq1Gq/RhLq3Ucc0ThRSYIO2x+J5W5OQ17 y+so8rjrGtUWlUw8C/j1OvHQZ357uUHI/MQfwP8haFsmpkt+Ox/7zxaplC45vJ2erV4W 5rdMfA6FzR9poJvfH18CQQcqGSCyLL2VUo1CHtEJCC08kIJAKhgG8OtOD5RQsq702o6a WUHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=o+w8dFD+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id 3-20020a17090a08c300b002774d978e19si242080pjn.175.2023.11.02.13.10.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:10:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=o+w8dFD+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 0835D810AF4A; Thu, 2 Nov 2023 13:10:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377326AbjKBUJx (ORCPT + 99 others); Thu, 2 Nov 2023 16:09:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229810AbjKBUJw (ORCPT ); Thu, 2 Nov 2023 16:09:52 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDE55138 for ; Thu, 2 Nov 2023 13:09:49 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-6b1e46ca282so1439631b3a.2 for ; Thu, 02 Nov 2023 13:09:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698955789; x=1699560589; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=frbIFMcPahMuJnundehXBvpEDhaieyav7O9JILL7nRI=; b=o+w8dFD+a8U1kV186JoDqputlzkTm/OvRBpP/lIZBYzRoNz9Yo1rzWbm9Tcarii0Qn VdS3IgcEv/qQ2EELTB68pmlZ3cbP77xmAJapEoyREioZsb3JgRuf4FB+/tGSYlzG04Gj TtwwSjtJ0MYEnCii0ZJT1lNrPyEXHGFEhqEeEeG3Cj5ntdEed+Ew+2OGfh64nubWPxcO gZ68dXMk7JQDQIBgMTrZ+RWt58I+EUuouSWhxB9sl1kNztplJwFkt3yWqL76pLxNXHj+ Tq2y5/7WLICf/heTqwfbUoXteYxUraBku/SKjZufCOf18h/lNPj6AS39wcFGsUDpchXD rPHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698955789; x=1699560589; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=frbIFMcPahMuJnundehXBvpEDhaieyav7O9JILL7nRI=; b=ImtZNftLNfbeNsh6Ck7IUnbX+AJFQAwKOpi+Nf0YhxBz7HNa3RMjmlzZtuPyt3uToQ BXcjPaT9AK/qA/PWpZQ4M8ZdMcfFN8qgQq8LviO+W6wHxsyvZ5L2q8mn8+vEhSVdud4M FiIODFzC7EpLYhPpWVSsgmJJRTlSyIcG8MLFqVaHhwJZN+ZRZwrc+I0tR4fRGg37tCVc tJhT1MLy8vLDSsr0UdhaEvuMX8t+tXGEeKUDmto+JPg9RqoAO326v/SRN2ieTOMJNacW vujlBcpAGMVuwYtS8Z/rc99zv0Z+gVKvygqCFwoCxA09oQT3DZUQZ/jj4eoYLPF4vANd 6LCg== X-Gm-Message-State: AOJu0Yyq9cJWmLf4b1YT30YSeU1IAZrAb92eNkHHGuC7W6Rv7vxzNJKP XFUEfa+ZYM7ID3C3ghHtjkpexg== X-Received: by 2002:a05:6a00:2d09:b0:6bc:f819:fcf0 with SMTP id fa9-20020a056a002d0900b006bcf819fcf0mr22638289pfb.1.1698955789068; Thu, 02 Nov 2023 13:09:49 -0700 (PDT) Received: from google.com (209.148.168.34.bc.googleusercontent.com. [34.168.148.209]) by smtp.gmail.com with ESMTPSA id u8-20020a627908000000b006baa1cf561dsm162301pfc.0.2023.11.02.13.09.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:09:47 -0700 (PDT) Date: Thu, 2 Nov 2023 20:09:42 +0000 From: Carlos Llamas To: "Liam R. Howlett" Cc: Greg Kroah-Hartman , Arve =?iso-8859-1?B?SGr4bm5lduVn?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Suren Baghdasaryan , Andrew Morton , Vlastimil Babka , "Kirill A. Shutemov" , Matthew Wilcox , Michal Hocko , linux-kernel@vger.kernel.org, kernel-team@android.com, stable@vger.kernel.org, Minchan Kim Subject: Re: [PATCH 02/21] binder: fix use-after-free in shinker's callback Message-ID: References: <20231102185934.773885-1-cmllamas@google.com> <20231102185934.773885-3-cmllamas@google.com> <20231102192051.innr2tbugspgmotw@revolver> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231102192051.innr2tbugspgmotw@revolver> X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:10:24 -0700 (PDT) On Thu, Nov 02, 2023 at 03:20:51PM -0400, Liam R. Howlett wrote: > * Carlos Llamas [231102 15:00]: > > The mmap read lock is used during the shrinker's callback, which means > > that using alloc->vma pointer isn't safe as it can race with munmap(). > > I think you know my feelings about the safety of that pointer from > previous discussions. > Yeah. The work here is not done. We actually already store the vm_start address in alloc->buffer, so in theory we don't even need to swap the alloc->vma pointer we could just drop it. So, I agree with you. I want to include this saftey "fix" along with some other work that uses the page fault handler and get_user_pages_remote(). I've tried a quick prototype of this and it works fine. > > diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c > > index e3db8297095a..c4d60d81221b 100644 > > --- a/drivers/android/binder_alloc.c > > +++ b/drivers/android/binder_alloc.c > > @@ -1005,7 +1005,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, > > goto err_mmget; > > if (!mmap_read_trylock(mm)) > > goto err_mmap_read_lock_failed; > > - vma = binder_alloc_get_vma(alloc); > > + vma = vma_lookup(mm, page_addr); > > + if (vma && vma != binder_alloc_get_vma(alloc)) > > + goto err_invalid_vma; > > Doesn't this need to be: > if (!vma || vma != binder_alloc_get_vma(alloc)) > > This way, we catch a different vma and a NULL vma. > > Or even, just: > if (vma != binder_alloc_get_vma(alloc)) > > if the alloc vma cannot be NULL? > If the vma_lookup() is NULL then we still need to isolate and free the given binder page and we obviously skip the zap() in this case. However, if we receive a random unexpected vma because of a corrupted address or similar, then the whole process is skipped. Thus, why we use the check above. -- Carlos Llamas