[PATCH openEuler-25.03 0/1] etmem: fix use-after-free of mm in the scan release process - Kernel - mailweb.openeuler.org

newer
[PATCH openEuler-1.0-LTS 0/2] Fix...

[PATCH openEuler-25.03 0/1] etmem: fix use-after-free of mm in the scan release process

older
[PATCH OLK-6.6] LoongArch: Fix...

chenrenhui

13 Jan 2025 13 Jan '25

2:46 p.m.

etmem: fix use-after-free of mm in the scan release process chenrenhui (1): etmem: fix use-after-free of mm in the scan release process fs/proc/etmem_proc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.33.0

Reply

Sign in to reply online Use email software

Show replies by date

chenrenhui

13 Jan 13 Jan

2:46 p.m.

New subject: [PATCH openEuler-25.03 1/1] etmem: fix use-after-free of mm in the scan release process

euleros inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBFHR4 CVE: NA ---------------------------------------------------- In the mm_idle_release function, etmem first uses the mmdrop to release this mm, and then call page_scan_release, resulting in a use-after-free problem. Instead, this patch swaps the placement of mmdrop and page_scan_release to avoid uaf problem. Fixes: 5d3b64fd78b8 ("etmem: add etmem scan feature") Signed-off-by: chenrenhui <chenrenhui1@huawei.com> --- fs/proc/etmem_proc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/proc/etmem_proc.c b/fs/proc/etmem_proc.c index 2e6712cc43b2..bbcbb53a949c 100644 --- a/fs/proc/etmem_proc.c +++ b/fs/proc/etmem_proc.c @@ -90,15 +90,15 @@ static int mm_idle_release(struct inode *inode, struct file *file) struct mm_struct *mm = file->private_data; int ret = 0; + if (proc_page_scan_operations.release) + ret = proc_page_scan_operations.release(inode, file); + if (mm) { if (!mm_kvm(mm)) flush_tlb_mm(mm); mmdrop(mm); } - if (proc_page_scan_operations.release) - ret = proc_page_scan_operations.release(inode, file); - if (proc_page_scan_operations.owner) module_put(proc_page_scan_operations.owner); -- 2.33.0

Reply

Sign in to reply online Use email software

patchwork bot

2:50 p.m.

反馈: 您发送到kernel@openeuler.org的补丁/补丁集，转换为PR失败！邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/C... 失败原因：补丁/补丁集的标题分支与仓库分支列表不匹配建议解决方法：请确认补丁标题中的分支是否正确，若有误则修改，无则忽略 FeedBack: The patch(es) which you have sent to kernel@openeuler.org has been converted to PR failed! Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/C... Failed Reason: branch in patch(es)'s title can not match any branches in repository's branch list Suggest Solution: please checkout if the patch(es)'s branch in title is wrong and fix it, if not ignore this

Reply

Sign in to reply online Use email software

43

Age (days ago)

43

Last active (days ago)

2 comments

2 participants

tags

participants (2)

chenrenhui
patchwork bot