lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LSU.2.11.1706192123460.9853@eggly.anvils>
Date:   Mon, 19 Jun 2017 21:40:15 -0700 (PDT)
From:   Hugh Dickins <hughd@...gle.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
cc:     Hugh Dickins <hughd@...gle.com>,
        Dave Jones <davej@...emonkey.org.uk>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Oleg Nesterov <oleg@...hat.com>, Michal Hocko <mhocko@...e.com>
Subject: Re: Linux 4.12-rc6

On Mon, 19 Jun 2017, Hugh Dickins wrote:
> On Tue, 20 Jun 2017, Linus Torvalds wrote:
> > On Tue, Jun 20, 2017 at 8:26 AM, Dave Jones <davej@...emonkey.org.uk> wrote:
> > >  > Hugh Dickins (1):
> > >  >       mm: larger stack guard gap, between vmas
> > >
> > > This seems to be buggered.
...
> > 
> > So maybe that "goto found" condition should have an additional test
> > for "gap_end > gap_start"?
> > 
> > Or maybe I'm just hallucinating and missed something. Hugh, Oleg,
> > Michal, can you take another look and double-check this logic?
> 
> My first impression is that you've got right to the heart of it,
> before I even started looking.  I'll go over that area more carefully
> now, in case there are other such instances, and post a test patch
> for Dave perhaps to try - but probably he's shut down now, so I'll
> then grab a trinity, and see what luck I have with it.

I've added nothing to your understanding: apart from general unease
about whether MAP_FIXED can push us into corners I hadn't expected.

I had originally wanted to add some more checks into DEBUG_VM_RB's
browse_rb(); but realized then that MAP_FIXED is perfectly entitled
to burst through the usual stack gaps I'd wanted to check there.

And I wonder if trinity will discover more issues with those final
adjustments at the end of unmapped_area[_topdowni]().  But enough
of deliberation, I'll get my trinity and try out the patch you
suggested below.  After a break.

Hugh

---

 mm/mmap.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- 4.12-rc6/mm/mmap.c	2017-06-19 09:06:10.035407505 -0700
+++ linux/mm/mmap.c	2017-06-19 21:09:28.616707311 -0700
@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_un
 		/* Check if current node has a suitable gap */
 		if (gap_start > high_limit)
 			return -ENOMEM;
-		if (gap_end >= low_limit && gap_end - gap_start >= length)
+		if (gap_end >= low_limit &&
+		    gap_end > gap_start && gap_end - gap_start >= length)
 			goto found;
 
 		/* Visit right subtree if it looks promising */
@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(stru
 		gap_end = vm_start_gap(vma);
 		if (gap_end < low_limit)
 			return -ENOMEM;
-		if (gap_start <= high_limit && gap_end - gap_start >= length)
+		if (gap_start <= high_limit &&
+		    gap_end > gap_start && gap_end - gap_start >= length)
 			goto found;
 
 		/* Visit left subtree if it looks promising */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ