| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jun 2017 19:01:29 +0200
From: Oleg Nesterov <oleg@...hat.com>
To: Cyrill Gorcunov <gorcunov@...il.com>
Cc: Hugh Dickins <hughd@...gle.com>, Andrey Vagin <avagin@...nvz.org>,
LKML <linux-kernel@...r.kernel.org>,
Pavel Emelyanov <xemul@...tuozzo.com>,
Dmitry Safonov <dsafonov@...tuozzo.com>,
Andrew Morton <akpm@...uxfoundation.org>,
Adrian Reber <areber@...hat.com>
Subject: Re: [criu] 1M guard page ruined restore
On 06/21, Cyrill Gorcunov wrote:
>
> On Wed, Jun 21, 2017 at 05:57:30PM +0200, Oleg Nesterov wrote:
> > >
> > > p = fake_grow_down;
> > > *p-- = 'c';
> >
> > I guess this works? I mean, *p-- = 'c' should not fail...
>
> It fails.
Hmm. Impossible ;) could you add the additional printf's to re-check?
> Here is the complete code. It supposed to _extend_ stack but it fails
> on the latest master + Hugh's [PATCH] mm: fix new crash in unmapped_area_topdown()
> ---
> [root@fc2 criu]# ~/st2
> start_addr 7fe6162a8000
> start_addr 7fe6163d9000
> Segmentation fault (core dumped)
> ---
> #include <stdio.h>
> #include <stdlib.h>
> #include <errno.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>
> #include <sys/mman.h>
>
> #define PAGE_SIZE 4096
>
> int main(int argc, char **argv)
> {
> char *start_addr, *start_addr1, *fake_grow_down, *test_addr, *grow_down;
> volatile char *p;
>
> start_addr = mmap(NULL, PAGE_SIZE * 512, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
> if (start_addr == MAP_FAILED) {
> printf("Can't mal a new region");
> return 1;
> }
> printf("start_addr %lx\n", start_addr);
> munmap(start_addr, PAGE_SIZE * 512);
>
> start_addr += PAGE_SIZE * 300;
>
> fake_grow_down = mmap(start_addr + PAGE_SIZE * 5, PAGE_SIZE,
> PROT_READ | PROT_WRITE,
> MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED | MAP_GROWSDOWN, -1, 0);
> if (fake_grow_down == MAP_FAILED) {
> printf("Can't mal a new region");
> return 1;
> }
> printf("start_addr %lx\n", fake_grow_down);
>
> p = fake_grow_down;
> *p-- = 'c';
once again, I can't believe this STORE can fail...
> *p = 'b';
Ah. I forgot about another kernel "feature" ;) not related to the recent guard
page changes...
Could you test the patch below?
Oleg.
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 8ad91a0..edc5d68 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1416,7 +1416,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
* and pusha to work. ("enter $65535, $31" pushes
* 32 pointers and then decrements %sp by 65535.)
*/
- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
+if (0) if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
bad_area(regs, error_code, address);
return;
}
Powered by blists - more mailing lists