lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 29 Jan 2007 17:26:56 +0000 (GMT)
From:	Hugh Dickins <hugh@...itas.com>
To:	Ken Chen <kenchen@...gle.com>
cc:	Adam Litke <agl@...ibm.com>, Andrew Morton <akpm@...l.org>,
	William Irwin <wli@...omorphy.com>,
	David Gibson <david@...son.dropbear.id.au>, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Don't allow the stack to grow into hugetlb reserved
 regions

On Sun, 28 Jan 2007, Ken Chen wrote:
> 
> For ia64, the hugetlb address region is reserved at the top of user
> space address.  Stacks are below that region.  Throw in the mix, we
> have two stacks, one memory stack that grows down and one register
> stack backing store that grows up.  These two stacks are always in
> pair and grow towards each other. And lastly, we have virtual address
> holes in between regions.  It's just impossible to grow any of these
> two stacks into hugetlb region no matter how I played it.
> 
> So, AFAICS this bug doesn't apply to ia64 (and certainly not x86). The
> new check of is_hugepage_only_range() is really a noop for both arches.

Certainly not a problem on x86.

But, never mind hugetlb, you still not quite convinced me that there's
no problem at all with get_user_pages find_extend_vma growing on ia64.

I repeat that ia64_do_page_fault has REGION tests to guard against
expanding either kind of stack across into another region.  ia64_brk,
ia64_mmap_check and arch_get_unmapped_area have RGN_MAP_LIMIT checks.
But where is the equivalent paranoia when ptrace calls get_user_pages
calls find_extend_vma?

If your usual stacks face each other across the same region, they're
not going to pose problem.  But what if someone mmaps MAP_GROWSDOWN
near the base of a region, then uses ptrace to touch an address near
the top of the region below?

Hugh
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ