| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jun 2017 20:19:34 +0300
From: Dmitry Safonov <dsafonov@...tuozzo.com>
To: Oleg Nesterov <oleg@...hat.com>,
Cyrill Gorcunov <gorcunov@...il.com>
Cc: Hugh Dickins <hughd@...gle.com>, Andrey Vagin <avagin@...nvz.org>,
LKML <linux-kernel@...r.kernel.org>,
Pavel Emelyanov <xemul@...tuozzo.com>,
Andrew Morton <akpm@...uxfoundation.org>,
Adrian Reber <areber@...hat.com>
Subject: Re: [criu] 1M guard page ruined restore
On 06/21/2017 08:15 PM, Dmitry Safonov wrote:
> On 06/21/2017 08:01 PM, Oleg Nesterov wrote:
>> On 06/21, Cyrill Gorcunov wrote:
>>>
>>> On Wed, Jun 21, 2017 at 05:57:30PM +0200, Oleg Nesterov wrote:
>>>>>
>>>>> p = fake_grow_down;
>>>>> *p-- = 'c';
>>>>
>>>> I guess this works? I mean, *p-- = 'c' should not fail...
>>>
>>> It fails.
>>
>> Hmm. Impossible ;) could you add the additional printf's to re-check?
>>
>>> Here is the complete code. It supposed to _extend_ stack but it fails
>>> on the latest master + Hugh's [PATCH] mm: fix new crash in
>>> unmapped_area_topdown()
>>> ---
>>> [root@fc2 criu]# ~/st2
>>> start_addr 7fe6162a8000
>>> start_addr 7fe6163d9000
>>> Segmentation fault (core dumped)
>>> ---
>>> #include <stdio.h>
>>> #include <stdlib.h>
>>> #include <errno.h>
>>> #include <stdlib.h>
>>> #include <string.h>
>>> #include <unistd.h>
>>>
>>> #include <sys/mman.h>
>>>
>>> #define PAGE_SIZE 4096
>>>
>>> int main(int argc, char **argv)
>>> {
>>> char *start_addr, *start_addr1, *fake_grow_down, *test_addr,
>>> *grow_down;
>>> volatile char *p;
>>>
>>> start_addr = mmap(NULL, PAGE_SIZE * 512, PROT_READ | PROT_WRITE,
>>> MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
>>> if (start_addr == MAP_FAILED) {
>>> printf("Can't mal a new region");
>>> return 1;
>>> }
>>> printf("start_addr %lx\n", start_addr);
>>> munmap(start_addr, PAGE_SIZE * 512);
>>>
>>> start_addr += PAGE_SIZE * 300;
>>>
>>> fake_grow_down = mmap(start_addr + PAGE_SIZE * 5, PAGE_SIZE,
>>> PROT_READ | PROT_WRITE,
>>> MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED | MAP_GROWSDOWN,
>>> -1, 0);
>>> if (fake_grow_down == MAP_FAILED) {
>>> printf("Can't mal a new region");
>>> return 1;
>>> }
>>> printf("start_addr %lx\n", fake_grow_down);
>>>
>>> p = fake_grow_down;
>>> *p-- = 'c';
>>
>> once again, I can't believe this STORE can fail...
>>
>>> *p = 'b';
>>
>> Ah. I forgot about another kernel "feature" ;) not related to the
>> recent guard
>> page changes...
>>
>> Could you test the patch below?
>
> Well, for me only the second store caused segfault.
> With your patch it passes..
The only question I have - how is it connected to guard page?
Before the former patch the test has passed. Why?
And this thing seems to be in kernel since 2009.
>
>>
>>
>> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
>> index 8ad91a0..edc5d68 100644
>> --- a/arch/x86/mm/fault.c
>> +++ b/arch/x86/mm/fault.c
>> @@ -1416,7 +1416,7 @@ __do_page_fault(struct pt_regs *regs, unsigned
>> long error_code,
>> * and pusha to work. ("enter $65535, $31" pushes
>> * 32 pointers and then decrements %sp by 65535.)
>> */
>> - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) <
>> regs->sp)) {
>> +if (0) if (unlikely(address + 65536 + 32 * sizeof(unsigned
>> long) < regs->sp)) {
>> bad_area(regs, error_code, address);
>> return;
>> }
>>
>
--
Dmitry
Powered by blists - more mailing lists