lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171114120520.u3cyxw42wqvvnnf6@node.shutemov.name>
Date:   Tue, 14 Nov 2017 15:05:20 +0300
From:   "Kirill A. Shutemov" <kirill@...temov.name>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Ingo Molnar <mingo@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        Andy Lutomirski <luto@...capital.net>,
        Cyrill Gorcunov <gorcunov@...nvz.org>,
        Nicholas Piggin <npiggin@...il.com>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/mm: Do not allow non-MAP_FIXED mapping across
 DEFAULT_MAP_WINDOW border

On Mon, Nov 13, 2017 at 10:14:36PM +0100, Thomas Gleixner wrote:
> On Mon, 13 Nov 2017, Kirill A. Shutemov wrote:
> > On Mon, Nov 13, 2017 at 08:14:54PM +0100, Thomas Gleixner wrote:
> > > > > It will succeed with 5-level paging.
> > > > 
> > > > And why is this allowed?
> > > > 
> > > > > It should be safe as with 4-level paging such request would fail and it's
> > > > > reasonable to expect that userspace is not relying on the failure to
> > > > > function properly.
> > > > 
> > > > Huch?
> > > > 
> > > > The first rule when looking at user space is that is broken or
> > > > hostile. Reasonable and user space are mutually exclusive.
> > > 
> > > Aside of that in case of get_unmapped_area:
> > > 
> > > If va_unmapped_area() fails, then the address and the len which caused the
> > > overlap check to trigger are handed in to arch_get_unmapped_area(), which
> > > again can create an invalid mapping if I'm not missing something.
> > > 
> > > If mappings which overlap the boundary are invalid then we have to make
> > > sure at all ends that they wont happen.
> > 
> > They are not invalid.
> > 
> > The patch tries to address following theoretical issue:
> > 
> > We have an application that tries, for some reason, to allocate memory
> > with mmap(addr), without MAP_FIXED, where addr is near the borderline of
> > 47-bit address space and addr+len is above the border.
> > 
> > On 4-level paging machine this request would succeed, but the address will
> > always be within 47-bit VA -- cannot allocate by hint address, ignore it.
> > 
> > If the application cannot handle high address this might be an issue on
> > 5-level paging machine as such call would succeed *and* allocate memory by
> > the specified hint address. In this case part of the mapping would be
> > above the border line and may lead to misbehaviour.
> > 
> > I hope this makes any sense :)
> 
> I can see where you are heading to. Now the case I was looking at is:
> 
> arch_get_unmapped_area_topdown()
> 
> 	addr0 = addr;
> 	
> 	....
> 	if (addr) {
> 		if (cross_border(addr, len))
> 			goto get_unmapped_area;
> 		...
> 	}
> get_unmapped_area:
> 	...
> 	if (addr > DEFAULT_MAP_WINDOW && !in_compat_syscall())
> 
> 	   ^^^ evaluates to false because addr < DEFAULT_MAP_WINDOW
> 
> 	addr - vm_unmapped_area(&info);
> 
> 	   ^^^ fails for whatever reason.
> 
> bottomup:
> 	return arch_get_unmapped_area(.., addr0, len, ....);
> 
> 
> AFAICT arch_get_unmapped_area() can allocate a mapping which crosses the
> border, i.e. a mapping which you want to prevent for the !MAP_FIXED case.

No, it can't as long as addr0 is below DEFAULT_MAP_WINDOW:

arch_get_unmapped_area()
{
	...
	find_start_end(addr, flags, &begin, &end);
	// end is DEFAULT_MAP_WINDOW here, since addr is below the border
	...
	if (addr) {
		...
		// end - len is less than addr, so the condition below is
		// false.
		if (end - len >= addr &&
		    (!vma || addr + len <= vm_start_gap(vma)))
			return addr;
	}
	...
	info.high_limit = end;
	...
	return vm_unmapped_area(&info);
}

-- 
 Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ