[trusty/lts-backport-utopic-next,2/2] UBUNTU: SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
diff mbox

Message ID 1444225339-5467-3-git-send-email-apw@canonical.com
State New
Headers show

Commit Message

Andy Whitcroft Oct. 7, 2015, 1:42 p.m. UTC
From: Ben Hutchings <ben@decadent.org.uk>

In madvise_remove() and sys_msync() we drop the mmap_sem before
dropping references to the mapped file(s).  As soon as we drop the
mmap_sem, the vma we got them from might be destroyed by another
thread, so calling vma_do_fput() is a possible use-after-free.

In these cases we don't actually need a reference to the aufs file, so
revert to using get_file() and fput() directly.

Bug-Link: https://bugs.debian.org/796036
CVE-2015-7312
BugLink: http://bugs.launchpad.net/bugs/1503655
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 mm/madvise.c | 4 ++--
 mm/msync.c   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

Patch
diff mbox

diff --git a/mm/madvise.c b/mm/madvise.c
index 8fa9f2a..1001381 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -328,12 +328,12 @@  static long madvise_remove(struct vm_area_struct *vma,
 	 * vma's reference to the file) can go away as soon as we drop
 	 * mmap_sem.
 	 */
-	vma_get_file(vma);
+	get_file(f);
 	up_read(&current->mm->mmap_sem);
 	error = do_fallocate(f,
 				FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
 				offset, end - start);
-	vma_fput(vma);
+	fput(f);
 	down_read(&current->mm->mmap_sem);
 	return error;
 }
diff --git a/mm/msync.c b/mm/msync.c
index 69b7303..0950c7b 100644
--- a/mm/msync.c
+++ b/mm/msync.c
@@ -85,13 +85,13 @@  SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags)
 		start = vma->vm_end;
 		if ((flags & MS_SYNC) && file &&
 				(vma->vm_flags & VM_SHARED)) {
-			vma_get_file(vma);
+			get_file(file);
 			up_read(&mm->mmap_sem);
 			if (vma->vm_flags & VM_NONLINEAR)
 				error = vfs_fsync(file, 1);
 			else
 				error = vfs_fsync_range(file, fstart, fend, 1);
-			vma_fput(vma);
+			fput(file);
 			if (error || start >= end)
 				goto out;
 			down_read(&mm->mmap_sem);