Commit a68a0262 authored Dec 08, 2020 by Minchan Kim Committed by Linus Torvalds Dec 08, 2020

mm/madvise: remove racy mm ownership check



Jann spotted the security hole due to race of mm ownership check.

If the task is sharing the mm_struct but goes through execve() before
mm_access(), it could skip process_madvise_behavior_valid check.  That
makes *any advice hint* to reach into the remote process.

This patch removes the mm ownership check.  With it, it will lose the
ability that local process could give *any* advice hint with vector
interface for some reason (e.g., performance).  Since there is no
concrete example in upstream yet, it would be better to remove the
abiliity at this moment and need to review when such new advice comes
up.

Fixes: ecb8ac8b ("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 4cb68296

mm/madvise.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -1204,8 +1204,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
		goto put_pid;
		}

		if (task->mm != current->mm &&
		!process_madvise_behavior_valid(behavior)) {
		if (!process_madvise_behavior_valid(behavior)) {
		ret = -EINVAL;
		goto release_task;
		}

Admin message