| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Jan 2009 15:31:04 -0800
From: Maksim Yevmenkin <maksim.yevmenkin@...il.com>
To: Randy Dunlap <randy.dunlap@...cle.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Lee Schermerhorn <Lee.Schermerhorn@...com>,
linux-kernel <linux-kernel@...r.kernel.org>,
Nick Piggin <npiggin@...e.de>,
Andrew Morton <akpm@...ux-foundation.org>,
Greg Kroah-Hartman <gregkh@...e.de>, will@...wder-design.com,
Rik van Riel <riel@...hat.com>,
KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>
Subject: Re: [PATCH] Fix OOPS in mmap_region() when merging adjacent VM_LOCKED
file segments
On Thu, Jan 29, 2009 at 2:48 PM, Randy Dunlap <randy.dunlap@...cle.com> wrote:
> Maksim Yevmenkin wrote:
>> On Thu, Jan 29, 2009 at 12:48 PM, Linus Torvalds
>> <torvalds@...ux-foundation.org> wrote:
>>> On Thu, 29 Jan 2009, Linus Torvalds wrote:
>>>> THIS PATCH IS TOTALLY UNTESTED!
>>> Well, it boots. FWIW. I've not really tested anything interesting with it,
>>> but any potential breakage is at least not catastrophic and immediate.
>>>
>>>> diff --git a/mm/mmap.c b/mm/mmap.c
>>>> index 8d95902..3f78ead 100644
>>>> --- a/mm/mmap.c
>>>> +++ b/mm/mmap.c
>>>> @@ -769,6 +769,10 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
>>>> if (vm_flags & VM_SPECIAL)
>>>> return NULL;
>>>>
>>>> + /* Anonymous shared mappings are unsharable */
>>>> + if ((vm_flags & VM_SHARED) && !file)
>>>> + return NULL;
>>>> +
>>> .. and I think this part of it is actually unnecessary, because what
>>> happens is that a shared anon mapping is turned into a shmem mapping when
>>> it is inserted, and that actually ends up allocating a file for it. So the
>>> vma->vm_file for anon mappings will not match a NULL file pointer
>>> _anyway_, so there's no way it would end up merging.
>>>
>>> So my patch can be further simplified, I think, to just the following.
>>> Even more total lines removed.
>>>
>>> I still want somebody else to look at and think about it, though.
>>
>> Just to confirm. This patch also appear to fix the immediate issue for us.
>
> Is there a (small) test program available?
Yes, it was in the original (first) email. Here it is again
/*
* Program to provoke kernel NULL pointer de-reference during
* mmap(...MAP_LOCKED...) in Linux 2.6.28.
*
* 1. Create a 32KB test file in /tmp (avoids mlock limit on all recent
* Linuxes).
* 2. mmap it with MAP_LOCKED from top to bottom. (Provokes the oops,
* since vmas can be merged in this case.)
* 3. Clean up.
*
* Compile:
*
* gcc maplock-bug.c -o maplog-bug
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#define SIZE (32*1024) /* Will get rounded down to page size if nec. */
static char tmp[] = "./maplock-bug.XXXXXX";
static char junkbuf[SIZE];
int
main(void)
{
int fd;
int ps = getpagesize();
size_t sz = (SIZE / ps) * ps;
void **addrs;
off_t off;
int i;
if ((addrs = malloc((sz / ps) * sizeof (*addrs))) == 0) {
perror("malloc");
exit(1);
}
if ((fd = mkstemp(tmp)) < 0) {
perror("mkstemp");
exit(1);
}
if (write(fd, junkbuf, sz) != sz) {
perror("write");
exit(1);
}
if (close(fd) < 0) {
perror("close");
exit(1);
}
if ((fd = open(tmp, O_RDONLY)) < 0) {
perror("open");
exit(1);
}
for (off = sz - ps, i = 0; off >= 0; off -= ps, i++) {
if ((addrs[i] =
mmap(0, ps, PROT_READ, MAP_SHARED|MAP_LOCKED,
fd, off)) == MAP_FAILED) {
perror("mmap");
exit(1);
}
printf("Mapped offset 0x%jx at %p\n",
(uintmax_t)off, addrs[i]);
}
if (close(fd) < 0) {
perror("close");
exit(1);
}
for (i = 0; i < sz / ps; i++) {
if (munmap(addrs[i], ps) < 0) {
perror("munmap");
exit(1);
}
printf("Unmapped %p\n", addrs[i]);
}
if (unlink(tmp) < 0) {
perror("unlink");
exit(1);
}
printf("Done\n");
}
Thanks,
max
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists