lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170717064407.GB7397@dhcp22.suse.cz>
Date:   Mon, 17 Jul 2017 08:44:08 +0200
From:   Michal Hocko <mhocko@...nel.org>
To:     Mike Kravetz <mike.kravetz@...cle.com>
Cc:     Vlastimil Babka <vbabka@...e.cz>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org,
        Andrew Morton <akpm@...ux-foundation.org>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Aaron Lu <aaron.lu@...el.com>,
        "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
        Anshuman Khandual <khandual@...ux.vnet.ibm.com>,
        Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH] mm/mremap: Fail map duplication attempts for private
 mappings

On Fri 14-07-17 10:29:01, Mike Kravetz wrote:
> On 07/14/2017 01:26 AM, Michal Hocko wrote:
> > On Thu 13-07-17 15:33:47, Mike Kravetz wrote:
> >> On 07/13/2017 12:11 PM, Vlastimil Babka wrote:
> >>> [+CC linux-api]
> >>>
> >>> On 07/13/2017 05:58 PM, Mike Kravetz wrote:
> >>>> mremap will create a 'duplicate' mapping if old_size == 0 is
> >>>> specified.  Such duplicate mappings make no sense for private
> >>>> mappings.  If duplication is attempted for a private mapping,
> >>>> mremap creates a separate private mapping unrelated to the
> >>>> original mapping and makes no modifications to the original.
> >>>> This is contrary to the purpose of mremap which should return
> >>>> a mapping which is in some way related to the original.
> >>>>
> >>>> Therefore, return EINVAL in the case where if an attempt is
> >>>> made to duplicate a private mapping.
> >>>>
> >>>> Signed-off-by: Mike Kravetz <mike.kravetz@...cle.com>
> >>>
> >>> Acked-by: Vlastimil Babka <vbabka@...e.cz>
> >>>
> >>
> >> In another e-mail thread, Andrea makes the case that mremap(old_size == 0)
> >> of private file backed mappings could possibly be used for something useful.
> >> For example to create a private COW mapping.
> > 
> > What does this mean exactly? I do not see it would force CoW so again
> > the new mapping could fail with the basic invariant that the content
> > of the new mapping should match the old one (e.g. old mapping already
> > CoWed some pages the new mapping would still contain the origin content
> > unless I am missing something).
> 
> I do not think you are missing anything.  You are correct in saying that
> the new mapping would be COW of the original file contents.  It is NOT
> based on any private pages of the old private mapping.  Sorry, my wording
> above was not quite clear.
> 
> As previously discussed, the more straight forward to way to accomplish
> the same thing would be a simple call to mmap with the fd.
> 
> After thinking about this some more, perhaps the original patch to return
> EINVAL for all private mappings makes more sense.  Even in the case of a
> file backed private mapping, the new mapping will be based on the file and
> not the old mapping.  The purpose of mremap is to create a new mapping
> based on the old mapping.  So, this is not strictly in line with the purpose
> of mremap.

Yes that is exactly my point. One would expect that the new mapping has
the same content as the previous mapping at the time when it was created
and the copy will be "atomic" (wrt. page faults). Otherwise you could
simply implement it in the userspace.

That being said, I do not think we should try to pretend this is a
correct behavior and the !old_len should be supported only for the
shared mappings which have at least reasonable semantic.

> Actually, the more I think about this, the more I wish there was some way
> to deprecate and eventually eliminate the old_size == 0 behavior.
> 
> > [...]
> >> +	/*
> >> +	 * !old_len  is a special case where a mapping is 'duplicated'.
> >> +	 * Do not allow this for private anon mappings.
> >> +	 */
> >> +	if (!old_len && vma_is_anonymous(vma) &&
> >> +	    !(vma->vm_flags & (VM_SHARED | VM_MAYSHARE)))
> >> +		return ERR_PTR(-EINVAL);
> > 
> > Why is vma_is_anonymous() without VM_*SHARE* check insufficient?
> 
> Are you asking,
> why is if (!old_len && vma_is_anonymous(vma)) insufficient?

yes

> If so, you are correct that the additional check for VM_*SHARE* is not
> necessary.  Shared mappings are technically not anonymous as they must
> contain a common backing object.

that is my understanding as well. But maybe there are some weird
mappings which do not have vm_ops and populate the whole range inside
the mmap callback. I remember we had a CVE for those but forgot all
details of course. Failing on those doesn't seem like a tragedy to me
and maybe it is even correct.
-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ