| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Apr 2011 14:41:53 +0200 From: Robert Święcki <robert@...ecki.net> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Hugh Dickins <hughd@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, Miklos Szeredi <miklos@...redi.hu>, Michel Lespinasse <walken@...gle.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, linux-kernel@...r.kernel.org, linux-mm@...ck.org, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Rik van Riel <riel@...hat.com> Subject: Re: [PATCH] mm: fix possible cause of a page_mapped BUG >>> I was about to send you my own UNTESTED patch: let me append it anyway, >>> I think it is more correct than yours (it's the offset of vm_end we need >>> to worry about, and there's the funny old_len,new_len stuff). >> >> Umm. That's what my patch did too. The >> >> pgoff = (addr - vma->vm_start) >> PAGE_SHIFT; >> >> is the "offset of the pgoff" from the original mapping, then we do >> >> pgoff += vma->vm_pgoff; >> >> to get the pgoff of the new mapping, and then we do >> >> if (pgoff + (new_len >> PAGE_SHIFT) < pgoff) >> >> to check that the new mapping is ok. >> >> I think yours is equivalent, just a different (and odd - that >> linear_page_index() thing will do lots of unnecessary shifts and >> hugepage crap) way of writing it. >> >>> See what you think - sorry, I'm going out now. >> >> I think _yours_ is conceptually buggy, because I think that test for >> "vma->vm_file" is wrong. >> >> Yes, new anonymous mappings set vm_pgoff to the virtual address, but >> that's not true for mremap() moving them around, afaik. >> >> Admittedly it's really hard to get to the overflow case, because the >> address is shifted down, so even if you start out with an anonymous >> mmap at a high address (to get a big vm_off), and then move it down >> and expand it (to get a big size), I doubt you can possibly overflow. >> But I still don't think that the test for vm_file is semantically >> sensible, even if it might not _matter_. >> >> But whatever. I suspect both our patches are practically doing the >> same thing, and it would be interesting to hear if it actually fixes >> the issue. Maybe there is some other way to mess up vm_pgoff that I >> can't think of right now. > > Testing with Linus' patch. Will let you know in a few hours. Ok, nothing happened after ~20h. The bug, usually, was triggered within 5-10h. I can add some printk in this condition, and let it run for a few days (I will not have access to my testing machine throughout that time), if you think this will confirm your hypothesis. -- Robert Święcki -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists