New issue
Advanced search Search tips

Issue 889450 link

Starred by 2 users
Status: Fixed
Owner:
zsm@chromium.org
Closed: Sep 28
Cc:
wonderfly@google.com
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: potential local priviledge escalation bug in vmacache code

Project Member Reported by mnissler@chromium.org, Sep 26 
Per https://www.openwall.com/lists/oss-security/2018/09/18/4:

A potential local priviledge escalation bug was reported in the vmacache code dealing with 32-bit sequence number overflows, introduced in v3.16 by 6b4ebc3a9078 (mm,vmacache: optimize overflow system-wide flushing). The change introduces a "fastpath" which skips the invalidation on overflows for single threads (mm_users == 1), which can lead to a use-after-free. As reported:
`
 [A starts as a singlethreaded process]
A: create mappings X and Y (in separate memory areas far away from other allocations)
A: perform repeated invalidations until current->mm->vmacache_seqnum==0xffffffff and current->vmacache.seqnum==0xfffffffe
A: dereference an address in mapping Y that is not paged in (thereby populating A's VMA cache with Y at seqnum 0xffffffff)
A: unmap mapping X (thereby bumping current->mm->vmacache_seqnum to 0)
A: without any more find_vma() calls (which could happen e.g. via pagefaults), create a thread B
B: perform repeated invalidations until current->mm->vmacache_seqnum==0xfffffffe
B: unmap mapping Y (thereby bumping  current->mm->vmacache_seqnum to 0xffffffff)
A: dereference an address in the freed mapping Y (or any address that isn't present in the pagetables and doesn't correspond to a valid VMA cache entry)

This is fixed in 7a9cdebdcc17 (mm: get rid of vmacache_flush_all() entirely), by converting it to a 64-bit counter and not dealing with overflows anymore; which also makes the code simpler and removes rarely-run code in core kernel paths.

So a win-win altogether.

----------------------

We're vulnerable per version information (haven't checked the code).

IIUC, this allows to access a memory page that the process no longer owns? If so, likely allows privilege escalation or kernel code execution. Over to zsm@ for further triage and figuring out patch strategy.
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 26

Labels: M-69 Target-69
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 26

Status: Assigned (was: Unconfirmed)

Comment 3 by zsm@chromium.org, Sep 26 

The fix is not present in any of our kernels. The patches are present in 4.14.y, 4.4.y, 3.18.y; ill pull them down to their respective chrome os kernels.
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 28

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0bc7a97eb3fa27c5899555c582c75dede9c17976

commit 0bc7a97eb3fa27c5899555c582c75dede9c17976
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri Sep 28 02:44:22 2018

UPSTREAM: mm: get rid of vmacache_flush_all() entirely

commit 7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 upstream.

Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too.  It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit.  That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.

So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too.  Win-win.

[ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
  also just goes away entirely with this ]

BUG= chromium:889450 
TEST=None

Change-Id: I966fa81ff047476e6f72916544846c575b86c022
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Will Deacon <will.deacon@arm.com>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2b8f74c8f0a4aab0a20b9e77fdc3d17e8f2405dd
	from linux-3.18.y)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1246405
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>

[modify] https://crrev.com/0bc7a97eb3fa27c5899555c582c75dede9c17976/include/linux/sched.h
[modify] https://crrev.com/0bc7a97eb3fa27c5899555c582c75dede9c17976/include/linux/mm_types.h
[modify] https://crrev.com/0bc7a97eb3fa27c5899555c582c75dede9c17976/mm/debug.c
[modify] https://crrev.com/0bc7a97eb3fa27c5899555c582c75dede9c17976/include/linux/vmacache.h
[modify] https://crrev.com/0bc7a97eb3fa27c5899555c582c75dede9c17976/mm/vmacache.c

Comment 6 by zsm@chromium.org, Sep 28 

Patch for v4.14 is in via stable merge.

Comment 7 by zsm@chromium.org, Sep 28

Status: Fixed (was: Assigned)
Patch for v4.4 is in via stable merge.
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 29

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by zsm@chromium.org, Nov 29 

Issue 910086 has been merged into this issue.

Comment 10 by groeck@chromium.org, Dec 4

Cc: wonderfly@google.com
Project Member

Comment 11 by sheriffbot@chromium.org, Jan 5

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment