lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <030a5655-bdc2-94a2-ee52-d6ea7be19a31@collabora.com>
Date:   Wed, 31 Aug 2016 12:36:26 -0400
From:   Robert Foss <robert.foss@...labora.com>
To:     Jacek Anaszewski <j.anaszewski@...sung.com>, corbet@....net,
        akpm@...ux-foundation.org, vbabka@...e.cz, mhocko@...e.com,
        koct9i@...il.com, hughd@...gle.com, n-horiguchi@...jp.nec.com,
        minchan@...nel.org, john.stultz@...aro.org,
        ross.zwisler@...ux.intel.com, jmarchan@...hat.com,
        hannes@...xchg.org, mingo@...nel.org, keescook@...omium.org,
        viro@...iv.linux.org.uk, gorcunov@...nvz.org, mnfhuang@...il.com,
        adobriyan@...il.com, calvinowens@...com, jdanis@...gle.com,
        jann@...jh.net, sonnyrao@...omium.org,
        kirill.shutemov@...ux.intel.com, ldufour@...ux.vnet.ibm.com,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        Ben Zhang <benzh@...omium.org>,
        Bryan Freed <bfreed@...omium.org>,
        Filipe Brandenburger <filbranden@...omium.org>,
        Mateusz Guzik <mguzik@...hat.com>,
        Michal Hocko <mhocko@...nel.org>, linux-api@...r.kernel.org
Subject: Re: [PACTH v4 1/3] mm, proc: Implement /proc/<pid>/totmaps



On 2016-08-31 05:45 AM, Jacek Anaszewski wrote:
> Hi Robert,
>
> On 08/17/2016 12:33 AM, robert.foss@...labora.com wrote:
>> From: Robert Foss <robert.foss@...labora.com>
>>
>> This is based on earlier work by Thiago Goncales. It implements a new
>> per process proc file which summarizes the contents of the smaps file
>> but doesn't display any addresses.  It gives more detailed information
>> than statm like the PSS (proprotional set size).  It differs from the
>> original implementation in that it doesn't use the full blown set of
>> seq operations, uses a different termination condition, and doesn't
>> displayed "Locked" as that was broken on the original implemenation.
>>
>> This new proc file provides information faster than parsing the
>> potentially
>> huge smaps file.
>>
>> Tested-by: Robert Foss <robert.foss@...labora.com>
>> Signed-off-by: Robert Foss <robert.foss@...labora.com>
>>
>> Signed-off-by: Sonny Rao <sonnyrao@...omium.org>
>> ---
>>  fs/proc/base.c     |   1 +
>>  fs/proc/internal.h |   2 +
>>  fs/proc/task_mmu.c | 141
>> +++++++++++++++++++++++++++++++++++++++++++++++++++++
>>  3 files changed, 144 insertions(+)
>>
>> diff --git a/fs/proc/base.c b/fs/proc/base.c
>> index a11eb71..de3acdf 100644
>> --- a/fs/proc/base.c
>> +++ b/fs/proc/base.c
>> @@ -2855,6 +2855,7 @@ static const struct pid_entry tgid_base_stuff[] = {
>>      REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
>>      REG("smaps",      S_IRUGO, proc_pid_smaps_operations),
>>      REG("pagemap",    S_IRUSR, proc_pagemap_operations),
>> +    REG("totmaps",    S_IRUGO, proc_totmaps_operations),
>>  #endif
>>  #ifdef CONFIG_SECURITY
>>      DIR("attr",       S_IRUGO|S_IXUGO,
>> proc_attr_dir_inode_operations, proc_attr_dir_operations),
>> diff --git a/fs/proc/internal.h b/fs/proc/internal.h
>> index aa27810..99f97d7 100644
>> --- a/fs/proc/internal.h
>> +++ b/fs/proc/internal.h
>> @@ -297,6 +297,8 @@ extern const struct file_operations
>> proc_pid_smaps_operations;
>>  extern const struct file_operations proc_tid_smaps_operations;
>>  extern const struct file_operations proc_clear_refs_operations;
>>  extern const struct file_operations proc_pagemap_operations;
>> +extern const struct file_operations proc_totmaps_operations;
>> +
>>
>>  extern unsigned long task_vsize(struct mm_struct *);
>>  extern unsigned long task_statm(struct mm_struct *,
>> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
>> index 4648c7f..fd8fd7f 100644
>> --- a/fs/proc/task_mmu.c
>> +++ b/fs/proc/task_mmu.c
>> @@ -802,6 +802,75 @@ static int show_smap(struct seq_file *m, void *v,
>> int is_pid)
>>      return 0;
>>  }
>>
>> +static void add_smaps_sum(struct mem_size_stats *mss,
>> +        struct mem_size_stats *mss_sum)
>> +{
>> +    mss_sum->resident += mss->resident;
>> +    mss_sum->pss += mss->pss;
>> +    mss_sum->shared_clean += mss->shared_clean;
>> +    mss_sum->shared_dirty += mss->shared_dirty;
>> +    mss_sum->private_clean += mss->private_clean;
>> +    mss_sum->private_dirty += mss->private_dirty;
>> +    mss_sum->referenced += mss->referenced;
>> +    mss_sum->anonymous += mss->anonymous;
>> +    mss_sum->anonymous_thp += mss->anonymous_thp;
>> +    mss_sum->swap += mss->swap;
>> +}
>> +
>> +static int totmaps_proc_show(struct seq_file *m, void *data)
>> +{
>> +    struct proc_maps_private *priv = m->private;
>> +    struct mm_struct *mm = priv->mm;
>> +    struct vm_area_struct *vma;
>> +    struct mem_size_stats mss_sum;
>> +
>> +    memset(&mss_sum, 0, sizeof(mss_sum));
>> +    down_read(&mm->mmap_sem);
>> +    hold_task_mempolicy(priv);
>> +
>> +    for (vma = mm->mmap; vma != priv->tail_vma; vma = vma->vm_next) {
>> +        struct mem_size_stats mss;
>> +        struct mm_walk smaps_walk = {
>> +            .pmd_entry = smaps_pte_range,
>> +            .mm = vma->vm_mm,
>> +            .private = &mss,
>> +        };
>> +
>> +        if (vma->vm_mm && !is_vm_hugetlb_page(vma)) {
>> +            memset(&mss, 0, sizeof(mss));
>> +            walk_page_vma(vma, &smaps_walk);
>> +            add_smaps_sum(&mss, &mss_sum);
>> +        }
>> +    }
>> +
>> +    release_task_mempolicy(priv);
>> +    up_read(&mm->mmap_sem);
>> +
>> +    seq_printf(m,
>> +           "Rss:            %8lu kB\n"
>> +           "Pss:            %8lu kB\n"
>> +           "Shared_Clean:   %8lu kB\n"
>> +           "Shared_Dirty:   %8lu kB\n"
>> +           "Private_Clean:  %8lu kB\n"
>> +           "Private_Dirty:  %8lu kB\n"
>> +           "Referenced:     %8lu kB\n"
>> +           "Anonymous:      %8lu kB\n"
>> +           "AnonHugePages:  %8lu kB\n"
>> +           "Swap:           %8lu kB\n",
>> +           mss_sum.resident >> 10,
>> +           (unsigned long)(mss_sum.pss >> (10 + PSS_SHIFT)),
>> +           mss_sum.shared_clean  >> 10,
>> +           mss_sum.shared_dirty  >> 10,
>> +           mss_sum.private_clean >> 10,
>> +           mss_sum.private_dirty >> 10,
>> +           mss_sum.referenced >> 10,
>> +           mss_sum.anonymous >> 10,
>> +           mss_sum.anonymous_thp >> 10,
>> +           mss_sum.swap >> 10);
>> +
>> +    return 0;
>> +}
>> +
>>  static int show_pid_smap(struct seq_file *m, void *v)
>>  {
>>      return show_smap(m, v, 1);
>> @@ -812,6 +881,28 @@ static int show_tid_smap(struct seq_file *m, void
>> *v)
>>      return show_smap(m, v, 0);
>>  }
>>
>> +static void *m_totmaps_start(struct seq_file *p, loff_t *pos)
>> +{
>> +    return NULL + (*pos == 0);
>> +}
>> +
>> +static void *m_totmaps_next(struct seq_file *p, void *v, loff_t *pos)
>> +{
>> +    ++*pos;
>> +    return NULL;
>> +}
>> +
>> +static void m_totmaps_stop(struct seq_file *p, void *v)
>> +{
>> +}
>> +
>> +static const struct seq_operations proc_totmaps_op = {
>> +    .start    = m_totmaps_start,
>> +    .next    = m_totmaps_next,
>> +    .stop    = m_totmaps_stop,
>> +    .show    = totmaps_proc_show
>> +};
>> +
>>  static const struct seq_operations proc_pid_smaps_op = {
>>      .start    = m_start,
>>      .next    = m_next,
>> @@ -836,6 +927,49 @@ static int tid_smaps_open(struct inode *inode,
>> struct file *file)
>>      return do_maps_open(inode, file, &proc_tid_smaps_op);
>>  }
>>
>> +static int totmaps_open(struct inode *inode, struct file *file)
>> +{
>> +    struct proc_maps_private *priv = NULL;
>> +    struct seq_file *seq;
>> +    int ret;
>> +
>> +    ret = do_maps_open(inode, file, &proc_totmaps_op);
>> +    if (ret)
>> +        goto error;
>> +
>> +    /*
>> +     * We need to grab references to the task_struct
>> +     * at open time, because there's a potential information
>> +     * leak where the totmaps file is opened and held open
>> +     * while the underlying pid to task mapping changes
>> +     * underneath it
>> +     */
>> +    seq = file->private_data;
>> +    priv = seq->private;
>> +    priv->task = get_proc_task(inode);
>> +    if (!priv->task) {
>> +        ret = -ESRCH;
>> +        goto error_free;
>> +    }
>> +
>> +    return 0;
>> +
>> +error_free:
>> +    proc_map_release(inode, file);
>> +error:
>> +    return ret;
>> +}
>> +
>> +static int totmaps_release(struct inode *inode, struct file *file)
>> +{
>> +    struct seq_file *seq = file->private_data;
>> +    struct proc_maps_private *priv = seq->private;
>> +
>> +    put_task_struct(priv->task);
>> +
>> +    return proc_map_release(inode, file);
>> +}
>> +
>>  const struct file_operations proc_pid_smaps_operations = {
>>      .open        = pid_smaps_open,
>>      .read        = seq_read,
>> @@ -850,6 +984,13 @@ const struct file_operations
>> proc_tid_smaps_operations = {
>>      .release    = proc_map_release,
>>  };
>>
>> +const struct file_operations proc_totmaps_operations = {
>> +    .open        = totmaps_open,
>> +    .read        = seq_read,
>> +    .llseek        = seq_lseek,
>> +    .release    = totmaps_release,
>> +};
>> +
>>  enum clear_refs_types {
>>      CLEAR_REFS_ALL = 1,
>>      CLEAR_REFS_ANON,
>>
>
> When reading totmaps of kernel processes the following NULL pointer
> dereference occurs:
>
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000044
> pgd = ee6e0000
> [00000044] *pgd=7b83a831
> Internal error: Oops: 17 [#6] PREEMPT SMP ARM
> Modules linked in:
> CPU: 2 PID: 1495 Comm: cat Tainted: G      D W
> 4.8.0-rc2-00010-g22fe2db-dirty #159
> Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
> task: ee596e00 task.stack: ee470000
> PC is at down_read+0xc/0x48
> LR is at totmaps_proc_show+0x2c/0x1e8
> pc : [<c06c01f4>]    lr : [<c022a154>]    psr: 40000013
> sp : ee471db8  ip : 00000000  fp : 00000000
> r10: edfe1080  r9 : 00000001  r8 : 00000044
> r7 : ee4abd00  r6 : edfe1080  r5 : edde0b80  r4 : 00000044
> r3 : 00000000  r2 : 00000000  r1 : ffffffc8  r0 : 00000044
> Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
> Control: 10c5387d  Table: 6e6e004a  DAC: 00000051
> Process cat (pid: 1495, stack limit = 0xee470210)
> Stack: (0xee471db8 to 0xee472000)
> 1da0:                                                       00000000
> c022a154
> 1dc0: ee596e00 024200ca 00000000 024200ca 00000000 00000081 c0b02594
> 024200ca
> 1de0: 00000055 ee5b7e44 00000800 c019cad0 00000000 c06c1af0 00000001
> c032aa90
> 1e00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000
> 1e20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000
> 1e40: 00000000 00000000 c0a69764 c0a69758 0000000b c01afd60 eff4d000
> eff4d000
> 1e60: edc55f20 00000000 edfe10b0 0001c000 20000013 c06bfc9c 7ab80c7f
> c01bc060
> 1e80: 00000002 ef001b80 c0a695d0 024000c0 00008000 ee471ec0 00008000
> edfe1080
> 1ea0: ee4abd00 00000001 00000001 ee471f80 00000000 c01fe564 0001c000
> edfe10b0
> 1ec0: 00000000 00000000 00024e84 ee5b7e00 ee5b7e44 c0705348 0001c000
> ee4abd00
> 1ee0: ee471f80 00008000 ee470000 0001c000 00000000 c01dc850 c0b06aac
> ee471fb0
> 1f00: b6fbf220 b6fbf7c4 000001ff c0101308 386d6a0e 32e4d737 386d6a0e
> 32e4d737
> 1f20: 00002838 00000000 ee4abd00 bec0eba0 00000000 bec0ed84 ee596e00
> 00000000
> 1f40: ee4abd00 00008000 0001c000 00000000 ee471f80 c01ddca0 00000004
> ee478124
> 1f60: 00000001 00000000 00000000 ee4abd00 ee4abd00 00008000 0001c000
> c01ddd64
> 1f80: 00000000 00000000 00000000 00008000 0001c000 00000003 00000003
> c0107ac4
> 1fa0: 00000000 c0107900 00008000 0001c000 00000003 0001c000 00008000
> 0001c000
> 1fc0: 00008000 0001c000 00000003 00000003 00008000 00000000 0000005e
> 00000000
> 1fe0: 00000000 bec0eb0c 0000c694 b6f4248c 60000010 00000003 fdfffffb
> ffffffff
> [<c06c01f4>] (down_read) from [<c022a154>] (totmaps_proc_show+0x2c/0x1e8)
> [<c022a154>] (totmaps_proc_show) from [<c01fe564>] (seq_read+0x1c8/0x4b8)
> [<c01fe564>] (seq_read) from [<c01dc850>] (__vfs_read+0x2c/0x110)
> [<c01dc850>] (__vfs_read) from [<c01ddca0>] (vfs_read+0x8c/0x110)
> [<c01ddca0>] (vfs_read) from [<c01ddd64>] (SyS_read+0x40/0x8c)
> [<c01ddd64>] (SyS_read) from [<c0107900>] (ret_fast_syscall+0x0/0x3c)
>
> It seems that some protection is needed for such processes, so that
> totmaps would return empty string then, like in case of smaps.
>

Thanks for the testing Jacek!

I had a look around the corresponding smaps code, but I'm not seeing any 
checks, do you know where that check actually is made?


Rob.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ