Page MenuHomeFreeBSD
Differential D18720

Fix a use-after-free in pmap_release().
ClosedPublic
Actions

Authored by markj on Jan 2 2019, 6:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 31, 11:39 PM
Unknown Object (File)
Jan 13 2025, 4:39 PM
Unknown Object (File)
Jan 10 2025, 10:10 AM
Unknown Object (File)
Dec 24 2024, 3:21 PM
Unknown Object (File)
Dec 10 2024, 5:02 AM
Unknown Object (File)
Oct 29 2024, 11:12 PM
Unknown Object (File)
Oct 25 2024, 3:37 PM
Unknown Object (File)
Oct 2 2024, 11:11 PM
View All 64 Files
Subscribers
imp

Details

Reviewers
kib
alc
jhb
br
mhorne063_gmail.com
Commits
rS342736: Fix a use-after-free in the riscv pmap_release() implementation.
Summary
  • Don't zero the page after freeing it.
  • Don't zero the page before removing it from allpmaps.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jan 2 2019, 6:17 PM
Harbormaster completed remote builds in B21809: Diff 52488.Jan 2 2019, 6:17 PM
markj added reviewers: kib, alc, jhb, br, mhorne063_gmail.com.Jan 2 2019, 6:24 PM
kib added inline comments.Jan 2 2019, 11:39 PM
sys/riscv/riscv/pmap.c
1306 ↗(On Diff #52488)

Why zeroing it at all ?

jhb accepted this revision.Jan 2 2019, 11:42 PM

One weird oddity. mips uses vm_page_free_zero() for it's top-level page but it doesn't zero it first. arm64 does the same. 32-bit arm v6 just leaks the pages (???), i386 uses vm_page_free() instead of vm_page_free_zero(). sparc64 uses vm_page_free_zero() without zero'ing the pages.

So it seems like mips, arm64, and sparc64 should all use vm_page_free() instead of vm_page_free_zero(). risc-v could also just do that instead of doing an explicit bzero here as well perhaps?

This revision is now accepted and ready to land.Jan 2 2019, 11:42 PM
kib added a comment.Jan 2 2019, 11:55 PM
In D18720#399435, @jhb wrote:

One weird oddity. mips uses vm_page_free_zero() for it's top-level page but it doesn't zero it first. arm64 does the same. 32-bit arm v6 just leaks the pages (???), i386 uses vm_page_free() instead of vm_page_free_zero(). sparc64 uses vm_page_free_zero() without zero'ing the pages.

So it seems like mips, arm64, and sparc64 should all use vm_page_free() instead of vm_page_free_zero(). risc-v could also just do that instead of doing an explicit bzero here as well perhaps?

I believe that the arches that use vm_page_free_zero() without zeroing, rely on the fact that all ptes are cleared before pmap is released. I.e. the page must be zero at this point. At least on arm64 vm_page_free() should be able to assert that the page is zeroed if DIAGNOSTIC is enabled.

And from the first hand experience, if the non-zero page returned to the free pool with PG_ZERO flag set, things breaks very fast, so it is visible, even if in puzzling manner.

markj added inline comments.Jan 3 2019, 12:03 AM
sys/riscv/riscv/pmap.c
1306 ↗(On Diff #52488)

Hmm, I think there's no reason. I will change it.

markj updated this revision to Diff 52499.Jan 3 2019, 12:06 AM
markj marked an inline comment as done.
  • Don't bother zeroing the top-level page.
This revision now requires review to proceed.Jan 3 2019, 12:06 AM
Harbormaster completed remote builds in B21816: Diff 52499.Jan 3 2019, 12:06 AM
kib accepted this revision.Jan 3 2019, 12:19 AM
This revision is now accepted and ready to land.Jan 3 2019, 12:19 AM
Closed by commit rS342736: Fix a use-after-free in the riscv pmap_release() implementation. (authored by markj). · Explain WhyJan 3 2019, 4:27 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: imp. · View Herald TranscriptJan 3 2019, 4:27 PM

Revision Contents
Changeset List

PathSize
head/
sys/
riscv/
riscv/
10 lines

Diff 52512

View Options

head/sys/riscv/riscv/pmap.c

Loading...