linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-28 21:33:52 +00:00

No description

Find a file

Carlos Llamas ca0cc0a9c6 binder: fix UAF of alloc->vma in race with munmap() commit `d1d8875c8c` upstream. [ cmllamas: clean forward port from commit `015ac18be7` ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit `a43cfc87ca` ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit `720c241924` ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit `dd2283f260` ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. Fixes: `c0fd210178` ("Revert "android: binder: stop saving a pointer to the VMA"") Fixes: `dd2283f260` ("mm: mmap: zap pages with read mmap_sem in munmap") Reported-by: Jann Horn <jannh@google.com> Closes: https://lore.kernel.org/all/20230518144052.xkj6vmddccq4v66b@revolver Cc: <stable@vger.kernel.org> Cc: Minchan Kim <minchan@kernel.org> Cc: Yang Shi <yang.shi@linux.alibaba.com> Cc: Liam Howlett <liam.howlett@oracle.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Acked-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20230519195950.1775656-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2023-05-30 14:17:23 +01:00
arch	parisc: Handle kprobes breakpoints only in kernel context	2023-05-30 14:17:22 +01:00
block	block: fix bio-cache for passthru IO	2023-05-30 14:17:22 +01:00
certs	Kbuild updates for v6.3	2023-02-26 11:53:25 -08:00
crypto	crypto: jitter - permanent and intermittent health errors	2023-05-24 17:30:06 +01:00
Documentation	dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type	2023-05-30 14:17:22 +01:00
drivers	binder: fix UAF of alloc->vma in race with munmap()	2023-05-30 14:17:23 +01:00
fs	btrfs: use nofs when cleaning up aborted transactions	2023-05-30 14:17:22 +01:00
include	ipv{4,6}/raw: fix output xfrm lookup wrt protocol	2023-05-30 14:17:21 +01:00
init	gcc: disable '-Warray-bounds' for gcc-13 too	2023-04-23 09:56:20 -07:00
io_uring	io_uring/rsrc: check for nonconsecutive pages	2023-05-11 23:17:38 +09:00
ipc	Merge branch 'work.namespace' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2023-02-24 19:20:07 -08:00
kernel	rethook: use preempt_{disable, enable}_notrace in rethook_trampoline_handler	2023-05-24 17:30:24 +01:00
lib	maple_tree: make maple state reusable after mas_empty_area()	2023-05-24 17:30:22 +01:00
LICENSES	LICENSES: Add the copyleft-next-0.3.1 license	2022-11-08 15:44:01 +01:00
mm	mm/vmemmap/devdax: fix kernel crash when probing devdax devices	2023-05-30 14:17:20 +01:00
net	ipv{4,6}/raw: fix output xfrm lookup wrt protocol	2023-05-30 14:17:21 +01:00
rust	rust: allow to use INIT_STACK_ALL_ZERO	2023-04-19 19:34:43 +02:00
samples	samples/bpf: Fix fout leak in hbm's run_bpf_prog	2023-05-24 17:30:06 +01:00
scripts	recordmcount: Fix memory leaks in the uwrite function	2023-05-24 17:30:10 +01:00
security	selinux: ensure av_permissions.h is built when needed	2023-05-11 23:16:57 +09:00
sound	ASoC: rt5682: Disable jack detection interrupt during suspend	2023-05-30 14:17:21 +01:00
tools	cxl/port: Enable the HDM decoder capability for switch ports	2023-05-30 14:17:22 +01:00
usr	initramfs: Check negative timestamp to prevent broken cpio archive	2023-04-16 17:37:01 +09:00
virt	KVM: Fix vcpu_array[0] races	2023-05-24 17:30:22 +01:00
.clang-format	cpumask: re-introduce constant-sized cpumask optimizations	2023-03-05 14:30:34 -08:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore	get_maintainer: add Alan to .get_maintainer.ignore	2022-08-20 15:17:44 -07:00
.gitattributes	.gitattributes: use 'dts' diff driver for *.dtso files	2023-02-26 15:28:23 +09:00
.gitignore	kbuild: rpm-pkg: move source components to rpmbuild/SOURCES	2023-03-16 22:45:56 +09:00
.mailmap	Networking fixes for 6.3-rc8, including fixes from netfilter and bpf	2023-04-20 11:03:51 -07:00
.rustfmt.toml	rust: add `.rustfmt.toml`	2022-09-28 09:02:20 +02:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	There is no particular theme here - mainly quick hits all over the tree.	2023-02-23 17:55:40 -08:00
Kbuild	Kbuild updates for v6.1	2022-10-10 12:00:45 -07:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	MAINTAINERS: Resume MPTCP co-maintainer role	2023-04-19 18:10:24 -07:00
Makefile	Linux 6.3.4	2023-05-24 17:30:25 +01:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.