userfaultfd: fix a race between writeprotect and exit_mmap()

jira VULN-4370 cve CVE-2021-47461 commit-author Nadav Amit <[email protected]> commit cb185d5 A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called. The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well. Use mmget_not_zero() to prevent the race as done in other userfaultfd operations. Link: https://lkml.kernel.org/r/[email protected] Fixes: 63b2d41 ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Signed-off-by: Nadav Amit <[email protected]> Tested-by: Li Wang <[email protected]> Reviewed-by: Peter Xu <[email protected]> Cc: Andrea Arcangeli <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> (cherry picked from commit cb185d5) Signed-off-by: Greg Rose <[email protected]>
ctrliq · Nov 19, 2024 · 6362289 · 6362289
1 parent 0c3116e
commit 6362289
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
@@ -1801,9 +1801,15 @@ static int userfaultfd_writeprotect(struct userfaultfd_ctx *ctx,
 	if (mode_wp && mode_dontwake)
 		return -EINVAL;
 
-	ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,
-				  uffdio_wp.range.len, mode_wp,
-				  &ctx->mmap_changing);
+	if (mmget_not_zero(ctx->mm)) {
+		ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,
+					  uffdio_wp.range.len, mode_wp,
+					  &ctx->mmap_changing);
+		mmput(ctx->mm);
+	} else {
+		return -ESRCH;
+	}
+
 	if (ret)
 		return ret;