* [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
@ 2017-08-23 21:14 Eric Biggers
2017-08-24 13:20 ` Oleg Nesterov
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Eric Biggers @ 2017-08-23 21:14 UTC (permalink / raw)
To: linux-mm
Cc: Andrew Morton, linux-kernel, Dmitry Vyukov, Ingo Molnar,
Konstantin Khlebnikov, Michal Hocko, Oleg Nesterov,
Peter Zijlstra, Vlastimil Babka, stable, Eric Biggers
From: Eric Biggers <ebiggers@google.com>
Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
write killable") made it possible to kill a forking task while it is
waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
was overlooked that this introduced an new error path before a reference
is taken on the mm_struct's ->exe_file. Since the ->exe_file of the new
mm_struct was already set to the old ->exe_file by the memcpy() in
dup_mm(), it was possible for the mmput() in the error path of dup_mm()
to drop a reference to ->exe_file which was never taken. This caused
the struct file to later be freed prematurely.
Fix it by updating mm_init() to NULL out the ->exe_file, in the same
place it clears other things like the list of mmaps.
This bug was found by syzkaller. It can be reproduced using the
following C program:
#define _GNU_SOURCE
#include <pthread.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
static void *mmap_thread(void *_arg)
{
for (;;) {
mmap(NULL, 0x1000000, PROT_READ,
MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
}
}
static void *fork_thread(void *_arg)
{
usleep(rand() % 10000);
fork();
}
int main(void)
{
fork();
fork();
fork();
for (;;) {
if (fork() == 0) {
pthread_t t;
pthread_create(&t, NULL, mmap_thread, NULL);
pthread_create(&t, NULL, fork_thread, NULL);
usleep(rand() % 10000);
syscall(__NR_exit_group, 0);
}
wait(NULL);
}
}
No special kernel config options are needed. It usually causes a NULL
pointer dereference in __remove_shared_vm_struct() during exit, or in
dup_mmap() (which is usually inlined into copy_process()) during fork.
Both are due to a vm_area_struct's ->vm_file being used after it's
already been freed.
Fixes: 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for write killable")
Google-Bug-Id: 64772007
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
kernel/fork.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/fork.c b/kernel/fork.c
index e075b7780421..cbbea277b3fb 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
mm_init_cpumask(mm);
mm_init_aio(mm);
mm_init_owner(mm, p);
+ RCU_INIT_POINTER(mm->exe_file, NULL);
mmu_notifier_mm_init(mm);
init_tlb_flush_pending(mm);
#if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
--
2.14.1.342.g6490525c54-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-23 21:14 [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free Eric Biggers
@ 2017-08-24 13:20 ` Oleg Nesterov
2017-08-24 16:59 ` Eric Biggers
2017-08-24 15:02 ` Mark Rutland
2017-11-16 22:24 ` Jason A. Donenfeld
2 siblings, 1 reply; 8+ messages in thread
From: Oleg Nesterov @ 2017-08-24 13:20 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-mm, Andrew Morton, linux-kernel, Dmitry Vyukov,
Ingo Molnar, Konstantin Khlebnikov, Michal Hocko, Peter Zijlstra,
Vlastimil Babka, stable, Eric Biggers
On 08/23, Eric Biggers wrote:
>
> From: Eric Biggers <ebiggers@google.com>
>
> Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> write killable") made it possible to kill a forking task while it is
> waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> was overlooked that this introduced an new error path before a reference
> is taken on the mm_struct's ->exe_file.
Hmm. Unless I am totally confused, the same problem with mm->exol_area?
I'll recheck....
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> mm_init_cpumask(mm);
> mm_init_aio(mm);
> mm_init_owner(mm, p);
> + RCU_INIT_POINTER(mm->exe_file, NULL);
Can't we simply move
RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
from dup_mmap() here? Afaics this doesn't need mmap_sem.
Good catch!
Oleg.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-23 21:14 [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free Eric Biggers
2017-08-24 13:20 ` Oleg Nesterov
@ 2017-08-24 15:02 ` Mark Rutland
2017-08-25 10:49 ` Mark Rutland
2017-11-16 22:24 ` Jason A. Donenfeld
2 siblings, 1 reply; 8+ messages in thread
From: Mark Rutland @ 2017-08-24 15:02 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-mm, Andrew Morton, linux-kernel, Dmitry Vyukov,
Ingo Molnar, Konstantin Khlebnikov, Michal Hocko, Oleg Nesterov,
Peter Zijlstra, Vlastimil Babka, stable, Eric Biggers
On Wed, Aug 23, 2017 at 02:14:08PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> write killable") made it possible to kill a forking task while it is
> waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> was overlooked that this introduced an new error path before a reference
> is taken on the mm_struct's ->exe_file. Since the ->exe_file of the new
> mm_struct was already set to the old ->exe_file by the memcpy() in
> dup_mm(), it was possible for the mmput() in the error path of dup_mm()
> to drop a reference to ->exe_file which was never taken. This caused
> the struct file to later be freed prematurely.
>
> Fix it by updating mm_init() to NULL out the ->exe_file, in the same
> place it clears other things like the list of mmaps.
> diff --git a/kernel/fork.c b/kernel/fork.c
> index e075b7780421..cbbea277b3fb 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> mm_init_cpumask(mm);
> mm_init_aio(mm);
> mm_init_owner(mm, p);
> + RCU_INIT_POINTER(mm->exe_file, NULL);
> mmu_notifier_mm_init(mm);
> init_tlb_flush_pending(mm);
> #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
I've been seeing similar issues on arm64 with use-after-free of a file
and other memory corruption [1].
This patch seems to fix that; a test that normally fired in a few
minutes has been happily running for hours with this applied.
Thanks,
Mark.
[1] https://lkml.kernel.org/r/20170824113743.GA14737@leverpostej
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-24 13:20 ` Oleg Nesterov
@ 2017-08-24 16:59 ` Eric Biggers
2017-08-25 14:40 ` Oleg Nesterov
0 siblings, 1 reply; 8+ messages in thread
From: Eric Biggers @ 2017-08-24 16:59 UTC (permalink / raw)
To: Oleg Nesterov
Cc: linux-mm, Andrew Morton, linux-kernel, Dmitry Vyukov,
Ingo Molnar, Konstantin Khlebnikov, Michal Hocko, Peter Zijlstra,
Vlastimil Babka, stable, Eric Biggers
On Thu, Aug 24, 2017 at 03:20:41PM +0200, Oleg Nesterov wrote:
> On 08/23, Eric Biggers wrote:
> >
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> > write killable") made it possible to kill a forking task while it is
> > waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> > was overlooked that this introduced an new error path before a reference
> > is taken on the mm_struct's ->exe_file.
>
> Hmm. Unless I am totally confused, the same problem with mm->exol_area?
> I'll recheck....
I'm not sure what you mean by ->exol_area.
>
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> > mm_init_cpumask(mm);
> > mm_init_aio(mm);
> > mm_init_owner(mm, p);
> > + RCU_INIT_POINTER(mm->exe_file, NULL);
>
> Can't we simply move
>
> RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
>
> from dup_mmap() here? Afaics this doesn't need mmap_sem.
>
Two problems, even assuming that get_mm_exe_file() doesn't require mmap_sem:
- If mm_alloc_pgd() or init_new_context() in mm_init() fails, mm_init() doesn't
do the full mmput(), so the file reference would not be dropped. So it would
need to be changed to drop the file reference too.
- The file would also be set when called from mm_alloc() which is used when
exec'ing a new task. *Maybe* it would be safe to do temporarily, but it's
pointless because ->exe_file will be set later by flush_old_exec().
Eric
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-24 15:02 ` Mark Rutland
@ 2017-08-25 10:49 ` Mark Rutland
0 siblings, 0 replies; 8+ messages in thread
From: Mark Rutland @ 2017-08-25 10:49 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-mm, Andrew Morton, linux-kernel, Dmitry Vyukov,
Ingo Molnar, Konstantin Khlebnikov, Michal Hocko, Oleg Nesterov,
Peter Zijlstra, Vlastimil Babka, stable, Eric Biggers
On Thu, Aug 24, 2017 at 04:02:49PM +0100, Mark Rutland wrote:
> On Wed, Aug 23, 2017 at 02:14:08PM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> > write killable") made it possible to kill a forking task while it is
> > waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> > was overlooked that this introduced an new error path before a reference
> > is taken on the mm_struct's ->exe_file. Since the ->exe_file of the new
> > mm_struct was already set to the old ->exe_file by the memcpy() in
> > dup_mm(), it was possible for the mmput() in the error path of dup_mm()
> > to drop a reference to ->exe_file which was never taken. This caused
> > the struct file to later be freed prematurely.
> >
> > Fix it by updating mm_init() to NULL out the ->exe_file, in the same
> > place it clears other things like the list of mmaps.
>
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index e075b7780421..cbbea277b3fb 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> > mm_init_cpumask(mm);
> > mm_init_aio(mm);
> > mm_init_owner(mm, p);
> > + RCU_INIT_POINTER(mm->exe_file, NULL);
> > mmu_notifier_mm_init(mm);
> > init_tlb_flush_pending(mm);
> > #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
>
> I've been seeing similar issues on arm64 with use-after-free of a file
> and other memory corruption [1].
>
> This patch seems to fix that; a test that normally fired in a few
> minutes has been happily running for hours with this applied.
Those haven't triggered after 24 hours, and in 16+ hours of fuzzing with
this applied, I haven't seen new issues. FWIW:
Tested-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-24 16:59 ` Eric Biggers
@ 2017-08-25 14:40 ` Oleg Nesterov
2017-08-28 15:55 ` Eric Biggers
0 siblings, 1 reply; 8+ messages in thread
From: Oleg Nesterov @ 2017-08-25 14:40 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-mm, Andrew Morton, linux-kernel, Dmitry Vyukov,
Ingo Molnar, Konstantin Khlebnikov, Michal Hocko, Peter Zijlstra,
Vlastimil Babka, stable, Eric Biggers
On 08/24, Eric Biggers wrote:
>
> On Thu, Aug 24, 2017 at 03:20:41PM +0200, Oleg Nesterov wrote:
> > On 08/23, Eric Biggers wrote:
> > >
> > > From: Eric Biggers <ebiggers@google.com>
> > >
> > > Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> > > write killable") made it possible to kill a forking task while it is
> > > waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> > > was overlooked that this introduced an new error path before a reference
> > > is taken on the mm_struct's ->exe_file.
> >
> > Hmm. Unless I am totally confused, the same problem with mm->exol_area?
> > I'll recheck....
>
> I'm not sure what you mean by ->exol_area.
I meant mm->uprobes_state.xol_area, sorry
> > > --- a/kernel/fork.c
> > > +++ b/kernel/fork.c
> > > @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> > > mm_init_cpumask(mm);
> > > mm_init_aio(mm);
> > > mm_init_owner(mm, p);
> > > + RCU_INIT_POINTER(mm->exe_file, NULL);
> >
> > Can't we simply move
> >
> > RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
> >
> > from dup_mmap() here? Afaics this doesn't need mmap_sem.
> >
>
> Two problems, even assuming that get_mm_exe_file() doesn't require mmap_sem:
>
> - If mm_alloc_pgd() or init_new_context() in mm_init() fails, mm_init() doesn't
> do the full mmput(), so the file reference would not be dropped. So it would
> need to be changed to drop the file reference too.
Ah yes, I forgot that mm_init() can fail after that, thanks for correcting me.
Oleg.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-25 14:40 ` Oleg Nesterov
@ 2017-08-28 15:55 ` Eric Biggers
0 siblings, 0 replies; 8+ messages in thread
From: Eric Biggers @ 2017-08-28 15:55 UTC (permalink / raw)
To: Oleg Nesterov
Cc: linux-mm, Andrew Morton, linux-kernel, Dmitry Vyukov,
Ingo Molnar, Konstantin Khlebnikov, Michal Hocko, Peter Zijlstra,
Vlastimil Babka, stable, Eric Biggers
On Fri, Aug 25, 2017 at 04:40:36PM +0200, Oleg Nesterov wrote:
> On 08/24, Eric Biggers wrote:
> >
> > On Thu, Aug 24, 2017 at 03:20:41PM +0200, Oleg Nesterov wrote:
> > > On 08/23, Eric Biggers wrote:
> > > >
> > > > From: Eric Biggers <ebiggers@google.com>
> > > >
> > > > Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> > > > write killable") made it possible to kill a forking task while it is
> > > > waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> > > > was overlooked that this introduced an new error path before a reference
> > > > is taken on the mm_struct's ->exe_file.
> > >
> > > Hmm. Unless I am totally confused, the same problem with mm->exol_area?
> > > I'll recheck....
> >
> > I'm not sure what you mean by ->exol_area.
>
> I meant mm->uprobes_state.xol_area, sorry
>
Yep, that's a bug too. I was able to cause a use-after-free using the same
reproducer program I gave in my commit message, after setting a uprobe
tracepoint on the beginning of the fork_thread() function. I'll send a patch to
fix it when I have a chance.
Eric
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
2017-08-23 21:14 [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free Eric Biggers
2017-08-24 13:20 ` Oleg Nesterov
2017-08-24 15:02 ` Mark Rutland
@ 2017-11-16 22:24 ` Jason A. Donenfeld
2 siblings, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2017-11-16 22:24 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-mm, Andrew Morton, LKML, Dmitry Vyukov, Ingo Molnar,
Konstantin Khlebnikov, Michal Hocko, Oleg Nesterov,
Peter Zijlstra, Vlastimil Babka, Eric Biggers
Hey Eric,
This is a pretty late response to the thread, but in case you're
curious, since Ubuntu forgot to backport this (I already emailed them
about it), I actually experienced a set of boxes that hit this bug in
the wild and were crashing every 2 weeks or so, when under highload.
It's pretty amazing that syzkaller unearthed this, resulting in a nice
test case, making it possible to debug and fix the error. Otherwise
it'd be a real heisenbug.
So, thanks.
Jason
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-11-16 22:24 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-23 21:14 [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free Eric Biggers
2017-08-24 13:20 ` Oleg Nesterov
2017-08-24 16:59 ` Eric Biggers
2017-08-25 14:40 ` Oleg Nesterov
2017-08-28 15:55 ` Eric Biggers
2017-08-24 15:02 ` Mark Rutland
2017-08-25 10:49 ` Mark Rutland
2017-11-16 22:24 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).