Go to file
Jann Horn 93a0b7d43d mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock
commit 657b514695 upstream.

lock_vma_under_rcu() tries to guarantee that __anon_vma_prepare() can't
be called in the VMA-locked page fault path by ensuring that
vma->anon_vma is set.

However, this check happens before the VMA is locked, which means a
concurrent move_vma() can concurrently call unlink_anon_vmas(), which
disassociates the VMA's anon_vma.

This means we can get UAF in the following scenario:

  THREAD 1                   THREAD 2
  ========                   ========
  <page fault>
    lock_vma_under_rcu()
      rcu_read_lock()
      mas_walk()
      check vma->anon_vma

                             mremap() syscall
                               move_vma()
                                vma_start_write()
                                 unlink_anon_vmas()
                             <syscall end>

    handle_mm_fault()
      __handle_mm_fault()
        handle_pte_fault()
          do_pte_missing()
            do_anonymous_page()
              anon_vma_prepare()
                __anon_vma_prepare()
                  find_mergeable_anon_vma()
                    mas_walk() [looks up VMA X]

                             munmap() syscall (deletes VMA X)

                    reusable_anon_vma() [called on freed VMA X]

This is a security bug if you can hit it, although an attacker would
have to win two races at once where the first race window is only a few
instructions wide.

This patch is based on some previous discussion with Linus Torvalds on
the security list.

Cc: stable@vger.kernel.org
Fixes: 5e31275cc9 ("mm: add per-VMA lock and helper functions to control it")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-08-11 12:14:05 +02:00
arch x86: fix backwards merge of GDS/SRSO bit 2023-08-08 20:04:53 +02:00
block blk-mq: Fix stall due to recursive flush plug 2023-08-03 10:25:41 +02:00
certs KEYS: Add missing function documentation 2023-04-24 16:15:52 +03:00
crypto crypto: jitter - correct health test during initialization 2023-07-19 16:36:19 +02:00
Documentation x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:04:51 +02:00
drivers xen/netback: Fix buffer overrun triggered by unusual packet 2023-08-08 20:04:52 +02:00
fs ceph: never send metrics if disable_send_metrics is set 2023-08-03 10:26:13 +02:00
include x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:04:51 +02:00
init init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() 2023-08-08 20:04:49 +02:00
io_uring io_uring: gate iowait schedule on having pending requests 2023-08-03 10:26:10 +02:00
ipc Merge branch 'work.namespace' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2023-02-24 19:20:07 -08:00
kernel locking/rtmutex: Fix task->pi_waiters integrity 2023-08-03 10:26:09 +02:00
lib maple_tree: fix 32 bit mas_next testing 2023-08-03 10:25:46 +02:00
LICENSES LICENSES: Add the copyleft-next-0.3.1 license 2022-11-08 15:44:01 +01:00
mm mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock 2023-08-11 12:14:05 +02:00
net rbd: harden get_lock_owner_info() a bit 2023-08-03 10:26:13 +02:00
rust Rust changes for v6.4 2023-04-30 11:20:22 -07:00
samples samples: ftrace: Save required argument registers in sample trampolines 2023-07-23 13:54:09 +02:00
scripts kbuild: rust: avoid creating temporary files 2023-07-27 08:57:06 +02:00
security security: keys: Modify mismatched function name 2023-07-27 08:56:59 +02:00
sound ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register 2023-08-03 10:26:12 +02:00
tools x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:04:51 +02:00
usr initramfs: Check negative timestamp to prevent broken cpio archive 2023-04-16 17:37:01 +09:00
virt KVM: Grab a reference to KVM for VM and vCPU stats file descriptors 2023-08-03 10:26:01 +02:00
.clang-format cxl for v6.4 2023-04-30 11:51:51 -07:00
.cocciconfig
.get_maintainer.ignore get_maintainer: add Alan to .get_maintainer.ignore 2022-08-20 15:17:44 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for *.dtso files 2023-02-26 15:28:23 +09:00
.gitignore linux-kselftest-kunit-6.4-rc1 2023-04-24 12:31:32 -07:00
.mailmap mailmap: add entries for Ben Dooks 2023-06-19 13:19:35 -07:00
.rustfmt.toml rust: add .rustfmt.toml 2022-09-28 09:02:20 +02:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: sctp: move Neil to CREDITS 2023-05-12 08:51:32 +01:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS Networking fixes for 6.4-rc8, including fixes from ipsec, bpf, 2023-06-22 17:59:51 -07:00
Makefile Linux 6.4.9 2023-08-08 20:04:53 +02:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.