Skip to content

Commit 6e88fe5

Browse files
surenbaghdasaryangregkh
authored andcommitted
mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped
commit 9bbffee upstream. By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowed from Jann's discovery report: lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under rcu_read_lock(). At that point, the VMA may be concurrently freed, and it can be recycled by another process. vma_start_read() then increments the vma->vm_refcnt (if it is in an acceptable range), and if this succeeds, vma_start_read() can return a recycled VMA. In this scenario where the VMA has been recycled, lock_vma_under_rcu() will then detect the mismatching ->vm_mm pointer and drop the VMA through vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. This is wrong: It implicitly assumes that the caller is keeping the VMA's mm alive, but in this scenario the caller has no relation to the VMA's mm, so the rcuwait_wake_up() can cause UAF. The diagram depicting the race: T1 T2 T3 == == == lock_vma_under_rcu mas_walk <VMA gets removed from mm> mmap <the same VMA is reallocated> vma_start_read __refcount_inc_not_zero_limited_acquire munmap __vma_enter_locked refcount_add_not_zero vma_end_read vma_refcount_put __refcount_dec_and_test rcuwait_wait_event <finish operation> rcuwait_wake_up [UAF] Note that rcuwait_wait_event() in T3 does not block because refcount was already dropped by T1. At this point T3 can exit and free the mm causing UAF in T1. To avoid this we move vma->vm_mm verification into vma_start_read() and grab vma->vm_mm to stabilize it before vma_refcount_put() operation. [surenb@google.com: v3] Link: https://lkml.kernel.org/r/20250729145709.2731370-1-surenb@google.com Link: https://lkml.kernel.org/r/20250728175355.2282375-1-surenb@google.com Fixes: 3104138 ("mm: make vma cache SLAB_TYPESAFE_BY_RCU") Signed-off-by: Suren Baghdasaryan <surenb@google.com> Reported-by: Jann Horn <jannh@google.com> Closes: https://lore.kernel.org/all/CAG48ez0-deFbVH=E3jbkWx=X3uVbd8nWeo6kbJPQ0KoUD+m2tA@mail.gmail.com/ Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Jann Horn <jannh@google.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
1 parent bd3c4ef commit 6e88fe5

2 files changed

Lines changed: 31 additions & 2 deletions

File tree

include/linux/mm.h

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
#include <linux/slab.h>
3434
#include <linux/cacheinfo.h>
3535
#include <linux/rcuwait.h>
36+
#include <linux/sched/mm.h>
3637

3738
struct mempolicy;
3839
struct anon_vma;
@@ -716,6 +717,10 @@ static inline void vma_refcount_put(struct vm_area_struct *vma)
716717
* reused and attached to a different mm before we lock it.
717718
* Returns the vma on success, NULL on failure to lock and EAGAIN if vma got
718719
* detached.
720+
*
721+
* WARNING! The vma passed to this function cannot be used if the function
722+
* fails to lock it because in certain cases RCU lock is dropped and then
723+
* reacquired. Once RCU lock is dropped the vma can be concurently freed.
719724
*/
720725
static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm,
721726
struct vm_area_struct *vma)
@@ -745,6 +750,31 @@ static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm,
745750
}
746751

747752
rwsem_acquire_read(&vma->vmlock_dep_map, 0, 1, _RET_IP_);
753+
754+
/*
755+
* If vma got attached to another mm from under us, that mm is not
756+
* stable and can be freed in the narrow window after vma->vm_refcnt
757+
* is dropped and before rcuwait_wake_up(mm) is called. Grab it before
758+
* releasing vma->vm_refcnt.
759+
*/
760+
if (unlikely(vma->vm_mm != mm)) {
761+
/* Use a copy of vm_mm in case vma is freed after we drop vm_refcnt */
762+
struct mm_struct *other_mm = vma->vm_mm;
763+
764+
/*
765+
* __mmdrop() is a heavy operation and we don't need RCU
766+
* protection here. Release RCU lock during these operations.
767+
* We reinstate the RCU read lock as the caller expects it to
768+
* be held when this function returns even on error.
769+
*/
770+
rcu_read_unlock();
771+
mmgrab(other_mm);
772+
vma_refcount_put(vma);
773+
mmdrop(other_mm);
774+
rcu_read_lock();
775+
return NULL;
776+
}
777+
748778
/*
749779
* Overflow of vm_lock_seq/mm_lock_seq might produce false locked result.
750780
* False unlocked result is impossible because we modify and check

mm/memory.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6554,8 +6554,7 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm,
65546554
*/
65556555

65566556
/* Check if the vma we locked is the right one. */
6557-
if (unlikely(vma->vm_mm != mm ||
6558-
address < vma->vm_start || address >= vma->vm_end))
6557+
if (unlikely(address < vma->vm_start || address >= vma->vm_end))
65596558
goto inval_end_read;
65606559

65616560
rcu_read_unlock();

0 commit comments

Comments
 (0)