lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 21 Jun 2017 11:35:48 +0200
From:   Michal Hocko <mhocko@...nel.org>
To:     Hugh Dickins <hughd@...gle.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Dave Jones <davej@...emonkey.org.uk>,
        Oleg Nesterov <oleg@...hat.com>, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org
Subject: Re: [PATCH] mm: fix new crash in unmapped_area_topdown()

On Tue 20-06-17 02:10:44, Hugh Dickins wrote:
> Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
> mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
> end of unmapped_area_topdown().  Linus points out how MAP_FIXED
> (which does not have to respect our stack guard gap intentions)
> could result in gap_end below gap_start there.  Fix that, and
> the similar case in its alternative, unmapped_area().

I finally found some more time to look at this and the fix looks good to
me. I have checked and it seems to be complete. I was even wondering
wheter we should warn when MAP_FIXED is too close to a stack area. Maybe
somebody does that intentionally, though (I can certainly imagine
PROT_NONE mapping under the stack to protect from {over,under}flows).

> Cc: stable@...r.kernel.org
> Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
> Reported-by: Dave Jones <davej@...emonkey.org.uk>
> Debugged-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Hugh Dickins <hughd@...gle.com>

Anyway feel free to add
Acked-by: Michal Hocko <mhocko@...e.com>

> ---
> 
>  mm/mmap.c |    6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> --- 4.12-rc6/mm/mmap.c	2017-06-19 09:06:10.035407505 -0700
> +++ linux/mm/mmap.c	2017-06-19 21:09:28.616707311 -0700
> @@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_un
>  		/* Check if current node has a suitable gap */
>  		if (gap_start > high_limit)
>  			return -ENOMEM;
> -		if (gap_end >= low_limit && gap_end - gap_start >= length)
> +		if (gap_end >= low_limit &&
> +		    gap_end > gap_start && gap_end - gap_start >= length)
>  			goto found;
>  
>  		/* Visit right subtree if it looks promising */
> @@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(stru
>  		gap_end = vm_start_gap(vma);
>  		if (gap_end < low_limit)
>  			return -ENOMEM;
> -		if (gap_start <= high_limit && gap_end - gap_start >= length)
> +		if (gap_start <= high_limit &&
> +		    gap_end > gap_start && gap_end - gap_start >= length)
>  			goto found;
>  
>  		/* Visit left subtree if it looks promising */

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ