| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190226072027.GK13653@xz-x1>
Date: Tue, 26 Feb 2019 15:20:28 +0800
From: Peter Xu <peterx@...hat.com>
To: Mike Rapoport <rppt@...ux.ibm.com>
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
David Hildenbrand <david@...hat.com>,
Hugh Dickins <hughd@...gle.com>,
Maya Gokhale <gokhale2@...l.gov>,
Jerome Glisse <jglisse@...hat.com>,
Pavel Emelyanov <xemul@...tuozzo.com>,
Johannes Weiner <hannes@...xchg.org>,
Martin Cracauer <cracauer@...s.org>, Shaohua Li <shli@...com>,
Marty McFadden <mcfadden8@...l.gov>,
Andrea Arcangeli <aarcange@...hat.com>,
Mike Kravetz <mike.kravetz@...cle.com>,
Denis Plotnikov <dplotnikov@...tuozzo.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Mel Gorman <mgorman@...e.de>,
"Kirill A . Shutemov" <kirill@...temov.name>,
"Dr . David Alan Gilbert" <dgilbert@...hat.com>,
Rik van Riel <riel@...hat.com>
Subject: Re: [PATCH v2 20/26] userfaultfd: wp: support write protection for
userfault vma range
On Tue, Feb 26, 2019 at 08:43:47AM +0200, Mike Rapoport wrote:
> On Tue, Feb 26, 2019 at 02:06:27PM +0800, Peter Xu wrote:
> > On Mon, Feb 25, 2019 at 10:52:34PM +0200, Mike Rapoport wrote:
> > > On Tue, Feb 12, 2019 at 10:56:26AM +0800, Peter Xu wrote:
> > > > From: Shaohua Li <shli@...com>
> > > >
> > > > Add API to enable/disable writeprotect a vma range. Unlike mprotect,
> > > > this doesn't split/merge vmas.
> > > >
> > > > Cc: Andrea Arcangeli <aarcange@...hat.com>
> > > > Cc: Rik van Riel <riel@...hat.com>
> > > > Cc: Kirill A. Shutemov <kirill@...temov.name>
> > > > Cc: Mel Gorman <mgorman@...e.de>
> > > > Cc: Hugh Dickins <hughd@...gle.com>
> > > > Cc: Johannes Weiner <hannes@...xchg.org>
> > > > Signed-off-by: Shaohua Li <shli@...com>
> > > > Signed-off-by: Andrea Arcangeli <aarcange@...hat.com>
> > > > [peterx:
> > > > - use the helper to find VMA;
> > > > - return -ENOENT if not found to match mcopy case;
> > > > - use the new MM_CP_UFFD_WP* flags for change_protection
> > > > - check against mmap_changing for failures]
> > > > Signed-off-by: Peter Xu <peterx@...hat.com>
> > > > ---
> > > > include/linux/userfaultfd_k.h | 3 ++
> > > > mm/userfaultfd.c | 54 +++++++++++++++++++++++++++++++++++
> > > > 2 files changed, 57 insertions(+)
> > > >
> > > > diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
> > > > index 765ce884cec0..8f6e6ed544fb 100644
> > > > --- a/include/linux/userfaultfd_k.h
> > > > +++ b/include/linux/userfaultfd_k.h
> > > > @@ -39,6 +39,9 @@ extern ssize_t mfill_zeropage(struct mm_struct *dst_mm,
> > > > unsigned long dst_start,
> > > > unsigned long len,
> > > > bool *mmap_changing);
> > > > +extern int mwriteprotect_range(struct mm_struct *dst_mm,
> > > > + unsigned long start, unsigned long len,
> > > > + bool enable_wp, bool *mmap_changing);
> > > >
> > > > /* mm helpers */
> > > > static inline bool is_mergeable_vm_userfaultfd_ctx(struct vm_area_struct *vma,
> > > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > > > index fefa81c301b7..529d180bb4d7 100644
> > > > --- a/mm/userfaultfd.c
> > > > +++ b/mm/userfaultfd.c
> > > > @@ -639,3 +639,57 @@ ssize_t mfill_zeropage(struct mm_struct *dst_mm, unsigned long start,
> > > > {
> > > > return __mcopy_atomic(dst_mm, start, 0, len, true, mmap_changing, 0);
> > > > }
> > > > +
> > > > +int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start,
> > > > + unsigned long len, bool enable_wp, bool *mmap_changing)
> > > > +{
> > > > + struct vm_area_struct *dst_vma;
> > > > + pgprot_t newprot;
> > > > + int err;
> > > > +
> > > > + /*
> > > > + * Sanitize the command parameters:
> > > > + */
> > > > + BUG_ON(start & ~PAGE_MASK);
> > > > + BUG_ON(len & ~PAGE_MASK);
> > > > +
> > > > + /* Does the address range wrap, or is the span zero-sized? */
> > > > + BUG_ON(start + len <= start);
> > >
> > > I'd replace these BUG_ON()s with
> > >
> > > if (WARN_ON())
> > > return -EINVAL;
> >
> > I believe BUG_ON() is used because these parameters should have been
> > checked in userfaultfd_writeprotect() already by the common
> > validate_range() even before calling mwriteprotect_range(). So I'm
> > fine with the WARN_ON() approach but I'd slightly prefer to simply
> > keep the patch as is to keep Jerome's r-b if you won't disagree. :)
>
> Right, userfaultfd_writeprotect() should check these parameters and if it
> didn't it was a bug indeed. But still, it's not severe enough to crash the
> kernel.
>
> I hope Jerome wouldn't mind to keep his r-b with s/BUG_ON/WARN_ON ;-)
>
> With this change you can also add
>
> Reviewed-by: Mike Rapoport <rppt@...ux.ibm.com>
Thanks! Though before I change anything... please note that the
BUG_ON()s are really what we've done in existing MISSING code. One
example is userfaultfd_copy() which did validate_range() first, then
in __mcopy_atomic() we've used BUG_ON()s. They make sense to me
becauase userspace should never be able to trigger it. And if we
really want to change the BUG_ON()s in this patch, IMHO we probably
want to change the other BUG_ON()s as well, then that can be a
standalone patch or patchset to address another issue...
(and if we really want to use WARN_ON, I would prefer WARN_ON_ONCE, or
directly return the errors to avoid DOS).
I'll see how you'd prefer to see how I should move on with this patch.
Thanks,
--
Peter Xu
Powered by blists - more mailing lists