Google Git
Sign in
cos / third_party / kernel / 4e1599789c3a2e4f181c99748e4499442fbc3f86
commit4e1599789c3a2e4f181c99748e4499442fbc3f86[log] [tgz]
authorLinus Torvalds <torvalds@linux-foundation.org>Fri Apr 24 11:10:58 2020 -0700
committerSaied Kazemi <saied@google.com>Thu Jan 14 17:07:11 2021 +0000
tree3b642a60289c3ec6e578dc0da45b8a5cf7aec369
parent52145a8e2c70423454f4894dcf8c80f47191478b [diff]
mm: check that mm is still valid in madvise()

IORING_OP_MADVISE can end up basically doing mprotect() on the VM of
another process, which means that it can race with our crazy core dump
handling which accesses the VM state without holding the mmap_sem
(because it incorrectly thinks that it is the final user).

This is clearly a core dumping problem, but we've never fixed it the
right way, and instead have the notion of "check that the mm is still
ok" using mmget_still_valid() after getting the mmap_sem for writing in
any situation where we're not the original VM thread.

See commit 04f5866e41fb ("coredump: fix race condition between
mmget_not_zero()/get_task_mm() and core dumping") for more background on
this whole mmget_still_valid() thing.  You might want to have a barf bag
handy when you do.

We're discussing just fixing this properly in the only remaining core
dumping routines.  But even if we do that, let's make do_madvise() do
the right thing, and then when we fix core dumping, we can remove all
these mmget_still_valid() checks.

BUG=b/174737951
TEST=presubmit
     master               sponge2/3596b1fc-fff5-4278-9641-40a89e0e5db0
     main-R81-12871.B.    sponge2/c6d1c2f1-4049-49e6-b74e-45cc92e6461a
     release-R81-12871.B. sponge2/58aaf875-6ee4-40b8-bd41-4453ce420a77
SOURCE=UPSTREAM(bc0c4d1e176eeb614dc8734fc3ace34292771f11)
RELEASE_NOTE=Fixed CVE-2020-29372 in the Linux kernel.

cos-patch: lts-refresh
Reported-and-tested-by: Jann Horn <jannh@google.com>
Fixes: c1ca757bd6f4 ("io_uring: add IORING_OP_MADVISE")
Acked-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit bc0c4d1e176eeb614dc8734fc3ace34292771f11)
Signed-off-by: Saied Kazemi <saied@google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/10521
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
(cherry picked from commit 4ba52630fceea53254630ac23798c4f1891041cf)
Signed-off-by: Saied Kazemi <saied@google.com>
Change-Id: I87364fbc4b722864676b7c41fe550c6caebabb8a
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/10600
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
1 file changed
tree: 3b642a60289c3ec6e578dc0da45b8a5cf7aec369
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .clang-format
  25. .cocciconfig
  26. .get_maintainer.ignore
  27. .gitattributes
  28. .gitignore
  29. .mailmap
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. PRESUBMIT.cfg
  37. README