Thread (8 messages) 8 messages, 4 authors, 2017-11-16

Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free

From: Oleg Nesterov <oleg@redhat.com>
Date: 2017-08-25 14:40:41
Also in: linux-mm, stable

On 08/24, Eric Biggers wrote:
On Thu, Aug 24, 2017 at 03:20:41PM +0200, Oleg Nesterov wrote:
quoted
On 08/23, Eric Biggers wrote:
quoted
From: Eric Biggers <redacted>

Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
write killable") made it possible to kill a forking task while it is
waiting to acquire its ->mmap_sem for write, in dup_mmap().  However, it
was overlooked that this introduced an new error path before a reference
is taken on the mm_struct's ->exe_file.
Hmm. Unless I am totally confused, the same problem with mm->exol_area?
I'll recheck....
I'm not sure what you mean by ->exol_area.
I meant mm->uprobes_state.xol_area, sorry
quoted
quoted
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
 	mm_init_cpumask(mm);
 	mm_init_aio(mm);
 	mm_init_owner(mm, p);
+	RCU_INIT_POINTER(mm->exe_file, NULL);
Can't we simply move

	RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));

from dup_mmap() here? Afaics this doesn't need mmap_sem.
Two problems, even assuming that get_mm_exe_file() doesn't require mmap_sem:

- If mm_alloc_pgd() or init_new_context() in mm_init() fails, mm_init() doesn't
  do the full mmput(), so the file reference would not be dropped.  So it would
  need to be changed to drop the file reference too.
Ah yes, I forgot that mm_init() can fail after that, thanks for correcting me.

Oleg.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help