LPE on Linux - vmacache_flush_all() bug
In Summary : Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15), Linux has per-task VMA caches that contain...
https://updatesinfosec.blogspot.com/2018/09/lpe-on-linux-vmacacheflushall-bug.html
In Summary :
kindly refer the following link as follow up :
https://ift.tt/2xKKoIu
Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15),
Linux has per-task VMA caches that contain up to four VMA pointers for
fast lookup. VMA caches are invalidated by bumping the 32-bit per-mm
sequence number mm->vmacache_seqnum; when the sequence number wraps,
vmacache_flush_all() scans through all running tasks and wipes the
VMA caches of all tasks that share current's mm.
In commit 6b4ebc3a9078 ("mm,vmacache: optimize overflow system-wide
flushing", first in 3.16), a bogus fastpath was added that skips the
invalidation on overflow if current->mm->mm_users==1. This means that
the following sequence of events triggers a use-after-free [...]
kindly refer the following link as follow up :
https://ift.tt/2xKKoIu
