lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Nov 2017 22:14:36 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     "Kirill A. Shutemov" <kirill@...temov.name>
cc:     "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Ingo Molnar <mingo@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        Andy Lutomirski <luto@...capital.net>,
        Cyrill Gorcunov <gorcunov@...nvz.org>,
        Nicholas Piggin <npiggin@...il.com>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/mm: Do not allow non-MAP_FIXED mapping across
 DEFAULT_MAP_WINDOW border

On Mon, 13 Nov 2017, Kirill A. Shutemov wrote:
> On Mon, Nov 13, 2017 at 08:14:54PM +0100, Thomas Gleixner wrote:
> > > > It will succeed with 5-level paging.
> > > 
> > > And why is this allowed?
> > > 
> > > > It should be safe as with 4-level paging such request would fail and it's
> > > > reasonable to expect that userspace is not relying on the failure to
> > > > function properly.
> > > 
> > > Huch?
> > > 
> > > The first rule when looking at user space is that is broken or
> > > hostile. Reasonable and user space are mutually exclusive.
> > 
> > Aside of that in case of get_unmapped_area:
> > 
> > If va_unmapped_area() fails, then the address and the len which caused the
> > overlap check to trigger are handed in to arch_get_unmapped_area(), which
> > again can create an invalid mapping if I'm not missing something.
> > 
> > If mappings which overlap the boundary are invalid then we have to make
> > sure at all ends that they wont happen.
> 
> They are not invalid.
> 
> The patch tries to address following theoretical issue:
> 
> We have an application that tries, for some reason, to allocate memory
> with mmap(addr), without MAP_FIXED, where addr is near the borderline of
> 47-bit address space and addr+len is above the border.
> 
> On 4-level paging machine this request would succeed, but the address will
> always be within 47-bit VA -- cannot allocate by hint address, ignore it.
> 
> If the application cannot handle high address this might be an issue on
> 5-level paging machine as such call would succeed *and* allocate memory by
> the specified hint address. In this case part of the mapping would be
> above the border line and may lead to misbehaviour.
> 
> I hope this makes any sense :)

I can see where you are heading to. Now the case I was looking at is:

arch_get_unmapped_area_topdown()

	addr0 = addr;
	
	....
	if (addr) {
		if (cross_border(addr, len))
			goto get_unmapped_area;
		...
	}
get_unmapped_area:
	...
	if (addr > DEFAULT_MAP_WINDOW && !in_compat_syscall())

	   ^^^ evaluates to false because addr < DEFAULT_MAP_WINDOW

	addr - vm_unmapped_area(&info);

	   ^^^ fails for whatever reason.

bottomup:
	return arch_get_unmapped_area(.., addr0, len, ....);


AFAICT arch_get_unmapped_area() can allocate a mapping which crosses the
border, i.e. a mapping which you want to prevent for the !MAP_FIXED case.

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ