| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100422154059.GA5916@redhat.com>
Date: Thu, 22 Apr 2010 17:40:59 +0200
From: Oleg Nesterov <oleg@...hat.com>
To: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...e.hu>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Masami Hiramatsu <mhiramat@...hat.com>,
Randy Dunlap <rdunlap@...otime.net>,
Ananth N Mavinakayanahalli <ananth@...ibm.com>,
Jim Keniston <jkenisto@...ux.vnet.ibm.com>,
Frederic Weisbecker <fweisbec@...il.com>,
"Frank Ch. Eigler" <fche@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
Roland McGrath <roland@...hat.com>, Mel Gorman <mel@....ul.ie>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
Andrea Arcangeli <aarcange@...hat.com>,
Hugh Dickins <hugh.dickins@...cali.co.uk>,
Rik van Riel <riel@...hat.com>
Subject: Re: [PATCH v2 7/11] Uprobes Implementation
On 04/22, Srikar Dronamraju wrote:
>
> * Oleg Nesterov <oleg@...hat.com> [2010-04-21 18:05:15]:
>
> > 3. mprotect(). write_opcode() checks !VM_WRITE. This is correct,
> > otherwise we can race with the user-space writing to the same
> > page.
> >
> > But suppose that the application does mprotect(PROT_WRITE) after
> > register_uprobe() installs the bp, now unregister_uprobe/etc can't
> > restore the original insn?
> >
>
> I still need to verify this. I shall get back to you on this.
> However are there applications that mprotect(PROT_WRITE) text pages?
Well, I think the kernel should assume that the user-space can do
anything.
Hmm. And if this vma is VM_SHARED, then this bp could be actually
written to vm_file after mprotect().
But I think this doesn't really matter. When I actually look at
patches 3 and 4, I am starting to think this all is very wrong.
> I am copying Mel Gorman and Andrea Arcangeli so that they can provide
> their inputs on VM and KSM related issues.
Yes. We need vm experts here, I am not. Still, I'd like to share my
concerns. I also added Rik and Hugh.
So, 3/11 does
@@ -2617,7 +2617,10 @@ int replace_page(struct vm_area_struct *vma, struct page *page,
}
get_page(kpage);
- page_add_anon_rmap(kpage, vma, addr);
+ if (PageAnon(kpage))
+ page_add_anon_rmap(kpage, vma, addr);
+ else
+ page_add_file_rmap(kpage);
flush_cache_page(vma, addr, pte_pfn(*ptep));
ptep_clear_flush(vma, addr, ptep);
I see no point in this patch, please see below.
The next 4/11 patch introduces write_opcode() which roughly does:
int write_opcode(unsigned long vaddr, user_bkpt_opcode_t opcode)
{
get_user_pages(write => false, &old_page);
new_page = alloc_page_vma(...);
... insert the bp into the new_page ...
new_page->mapping = old_page->mapping;
new_page->index = old_page->index;
replace_page(old_page, new_page);
}
This doesn't look right at all to me.
IF PageAnon(old_page):
in this case replace_page() calls page_add_anon_rmap() which
needs the locked page.
ELSE:
I don't think the new page should evere preserve the mapping,
this looks just wrong. It should be always anonymous.
And in fact, I do not understand why write_opcode() needs replace_page().
It could just use get_user_pages(FOLL_WRITE | FOLL_FORCE), no? It should
create the anonymous page correctly.
Either way, I think register_uprobe() should disallow the probes in
VM_SHARED/VM_MAYWRITE vmas.
Oleg.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists