lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.0.999.0711010809171.3342@woody.linux-foundation.org>
Date:	Thu, 1 Nov 2007 08:14:47 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Nick Piggin <npiggin@...e.de>
cc:	Duane Griffin <duaneg@...da.com>,
	linux-kernel Mailing List <linux-kernel@...r.kernel.org>,
	stable@...nel.org
Subject: Re: 2.6.23 regression: accessing invalid mmap'ed memory from gdb
 causes unkillable spinning



On Thu, 1 Nov 2007, Nick Piggin wrote:

> On Wed, Oct 31, 2007 at 04:08:21PM -0700, Linus Torvalds wrote:
> > 
> > We made much bigger changes to ptrace support when we disallowed writing 
> > to read-only shared memory areas (we used to do the magic per-page COW 
> > thing).
> 
> Really? No, we still do that magic COW thing which creates anonymous
> pages in MAP_SHARED vmas, don't we?

No, we don't. I'm pretty sure. It didn't work with the VM cleanups, since 
the MAP_SHARED vma's won't be on the anonymous list any more, and cannot 
be swapped out.

So now, if you try to write to a read-only shared page through ptrace, 
you'll get "Unable to access".

Of course, I didn't really look closely, so maybe I just don't remember 
things right..

> > access_vm_pages() (things like core-dumping comes to mind - although I 
> > think we don't dump pure file mappings at all, do we?) it would certainly 
> > be good to run any such tests on the current -git tree...
> 
> We do for MAP_SHARED|MAP_ANONYMOUS, by the looks.

Well, as we should. There's no way for a debugger to get those pages back. 
So that all looks sane.

> -			vm_flags |= VM_SHARED | VM_MAYSHARE;
> -			if (!(file->f_mode & FMODE_WRITE))
> -				vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
> +			vm_flags |= VM_MAYSHARE;
> +			if (file->f_mode & FMODE_WRITE)
> +				vm_flags |= VM_SHARED;
> +			if (!(vm_flags & VM_WRITE))
> +				vm_flags &= ~VM_MAYWRITE;

This looks totally bogus. What was the intent of this patch?

The VM_MAYWRITE flag is *not* supposed to track the VM_WRITE flag: that 
would defeat the whole purpose of it! The whole point of that flag is to 
say whether mprotect() could turn it into a VM_WRITE mapping, and it 
depends on the file mode, not VM_WRITE!

>  			vm_flags |= VM_SHARED | VM_MAYSHARE;
> +			if (!(vm_flags & VM_WRITE))
> +				vm_flags &= ~VM_MAYWRITE;

More apparent bogosities.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ