Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages()

From: Davidlohr Bueso
Date: Tue Apr 10 2018 - 12:18:52 EST

Next message: Marc Zyngier: "Re: [PATCH] irqchip/gic-v3: Support v2m frame backwards compatibility mode"
Previous message: Matthew Wilcox: "Re: [PATCH v2 1/2] mm: introduce ARCH_HAS_PTE_SPECIAL"
In reply to: Davidlohr Bueso: "Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 08 Apr 2018, Eric Biggers wrote:

@@ -480,6 +487,7 @@ static int shm_release(struct inode *ino, struct file *file)
struct shm_file_data *sfd = shm_file_data(file);

put_ipc_ns(sfd->ns);
+ fput(sfd->file);
shm_file_data(file) = NULL;
kfree(sfd);
return 0;
@@ -1432,7 +1440,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
file->f_mapping = shp->shm_file->f_mapping;
sfd->id = shp->shm_perm.id;
sfd->ns = get_ipc_ns(ns);
- sfd->file = shp->shm_file;
+ sfd->file = get_file(shp->shm_file);
sfd->vm_ops = NULL;

This probably merits a comment as it is adhoc to remap_file_pages(),
but otherwise:

Acked-by: Davidlohr Bueso <dbueso@xxxxxxx>

Next message: Marc Zyngier: "Re: [PATCH] irqchip/gic-v3: Support v2m frame backwards compatibility mode"
Previous message: Matthew Wilcox: "Re: [PATCH v2 1/2] mm: introduce ARCH_HAS_PTE_SPECIAL"
In reply to: Davidlohr Bueso: "Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]