bpf: Fix use-after-free on mm_struct in bpf_find_vma()#8024
Open
kernel-patches-daemon-bpf-rc[bot] wants to merge 1 commit into
Open
bpf: Fix use-after-free on mm_struct in bpf_find_vma()#8024kernel-patches-daemon-bpf-rc[bot] wants to merge 1 commit into
kernel-patches-daemon-bpf-rc[bot] wants to merge 1 commit into
Conversation
Author
|
Upstream branch: c15261b |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
58d8cc8 to
4d4751c
Compare
Author
|
Upstream branch: 140fa23 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1108917=>bpf-next
branch
from
d94712d to
35ef64f
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
4d4751c to
dcffd40
Compare
Author
|
Upstream branch: 2e8ad1f |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1108917=>bpf-next
branch
from
35ef64f to
bca1403
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
dcffd40 to
8b7f742
Compare
Author
|
Upstream branch: 30dee2c |
bpf_find_vma() reads task->mm and calls mmap_read_trylock(mm) without holding a reference on the mm. On a foreign task, a concurrent exit_mm() can free the mm_struct between the lockless read and the trylock, resulting in a use-after-free. mm_struct is not SLAB_TYPESAFE_BY_RCU. For the current task, task->mm is stable. For a foreign task, pin the mm under task->alloc_lock and release it with mmput_async(), mirroring commit d8e27d2 ("bpf: fix mm lifecycle in open-coded task_vma iterator"). Use spin_trylock() instead of get_task_mm() so BPF context does not block on alloc_lock. Reject irqs-disabled contexts and !CONFIG_MMU on the foreign-task path because dropping the mm reference is not safe there. Race: CPU0 (BPF program) CPU1 (exiting task) ============================ ========================== bpf_find_vma(foreign_task): mm = task->mm exit_mm(): task->mm = NULL mmput(mm) -> frees mm_struct mmap_read_trylock(mm) // UAF on mm Fixes: 7c7e3d3 ("bpf: Introduce helper bpf_find_vma") Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1108917=>bpf-next
branch
from
bca1403 to
3bf9edd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Fix use-after-free on mm_struct in bpf_find_vma()
version: 4
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1108917