[trusty/lts-backport-utopic 1/1] UBUNTU: SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
Andy Whitcroft
apw at canonical.com
Fri Oct 2 11:20:52 UTC 2015
From: Ben Hutchings <ben at decadent.org.uk>
In madvise_remove() and sys_msync() we drop the mmap_sem before
dropping references to the mapped file(s). As soon as we drop the
mmap_sem, the vma we got them from might be destroyed by another
thread, so calling vma_do_fput() is a possible use-after-free.
In these cases we don't actually need a reference to the aufs file, so
revert to using get_file() and fput() directly.
Bug-Link: https://bugs.debian.org/796036
CVE-2015-7312
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
mm/madvise.c | 4 ++--
mm/msync.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/mm/madvise.c b/mm/madvise.c
index 8fa9f2a..2f9b533 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -328,12 +328,12 @@ static long madvise_remove(struct vm_area_struct *vma,
* vma's reference to the file) can go away as soon as we drop
* mmap_sem.
*/
- vma_get_file(vma);
+ get_file(vma);
up_read(¤t->mm->mmap_sem);
error = do_fallocate(f,
FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
offset, end - start);
- vma_fput(vma);
+ fput(vma);
down_read(¤t->mm->mmap_sem);
return error;
}
diff --git a/mm/msync.c b/mm/msync.c
index 69b7303..3cc63ea 100644
--- a/mm/msync.c
+++ b/mm/msync.c
@@ -85,13 +85,13 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags)
start = vma->vm_end;
if ((flags & MS_SYNC) && file &&
(vma->vm_flags & VM_SHARED)) {
- vma_get_file(vma);
+ get_file(vma);
up_read(&mm->mmap_sem);
if (vma->vm_flags & VM_NONLINEAR)
error = vfs_fsync(file, 1);
else
error = vfs_fsync_range(file, fstart, fend, 1);
- vma_fput(vma);
+ fput(vma);
if (error || start >= end)
goto out;
down_read(&mm->mmap_sem);
--
2.5.0
More information about the kernel-team
mailing list