lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1606442130.8845.2.camel@mtkswgap22>
Date:   Fri, 27 Nov 2020 09:55:30 +0800
From:   Miles Chen <miles.chen@...iatek.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
CC:     Alexey Dobriyan <adobriyan@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
        <linux-mediatek@...ts.infradead.org>, <wsd_upstream@...iatek.com>
Subject: Re: [RESEND PATCH v1] proc: use untagged_addr() for pagemap_read
 addresses

On Tue, 2020-11-24 at 12:32 -0600, Eric W. Biederman wrote:
> Miles Chen <miles.chen@...iatek.com> writes:
> 
> > When we try to visit the pagemap of a tagged userspace pointer, we find
> > that the start_vaddr is not correct because of the tag.
> > To fix it, we should untag the usespace pointers in pagemap_read().
> >
> > I tested with 5.10-rc4 and the issue remains.
> >
> > My test code is baed on [1]:
> >
> > A userspace pointer which has been tagged by 0xb4: 0xb400007662f541c8
> 
> 
> Sigh this patch is buggy.
> 
> > === userspace program ===
> >
> > uint64 OsLayer::VirtualToPhysical(void *vaddr) {
> > 	uint64 frame, paddr, pfnmask, pagemask;
> > 	int pagesize = sysconf(_SC_PAGESIZE);
> > 	off64_t off = ((uintptr_t)vaddr) / pagesize * 8; // off = 0xb400007662f541c8 / pagesize * 8 = 0x5a00003b317aa0
> > 	int fd = open(kPagemapPath, O_RDONLY);
> > 	...
> >
> > 	if (lseek64(fd, off, SEEK_SET) != off || read(fd, &frame, 8) != 8) {
> > 		int err = errno;
> > 		string errtxt = ErrorString(err);
> > 		if (fd >= 0)
> > 			close(fd);
> > 		return 0;
> > 	}
> > ...
> > }
> >
> > === kernel fs/proc/task_mmu.c ===
> >
> > static ssize_t pagemap_read(struct file *file, char __user *buf,
> > 		size_t count, loff_t *ppos)
> > {
> > 	...
> > 	src = *ppos;
> > 	svpfn = src / PM_ENTRY_BYTES; // svpfn == 0xb400007662f54
> > 	start_vaddr = svpfn << PAGE_SHIFT; // start_vaddr == 0xb400007662f54000
> > 	end_vaddr = mm->task_size;
> >
> > 	/* watch out for wraparound */
> > 	// svpfn == 0xb400007662f54
> > 	// (mm->task_size >> PAGE) == 0x8000000
> > 	if (svpfn > mm->task_size >> PAGE_SHIFT) // the condition is true because of the tag 0xb4
> > 		start_vaddr = end_vaddr;
> >
> > 	ret = 0;
> > 	while (count && (start_vaddr < end_vaddr)) { // we cannot visit correct entry because start_vaddr is set to end_vaddr
> > 		int len;
> > 		unsigned long end;
> > 		...
> > 	}
> > 	...
> > }
> >
> > [1] https://github.com/stressapptest/stressapptest/blob/master/src/os.cc#L158
> >
> > Signed-off-by: Miles Chen <miles.chen@...iatek.com>
> > ---
> >  fs/proc/task_mmu.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> > index 217aa2705d5d..e9a70f7ee515 100644
> > --- a/fs/proc/task_mmu.c
> > +++ b/fs/proc/task_mmu.c
> > @@ -1599,11 +1599,11 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
> >  
> >  	src = *ppos;
> >  	svpfn = src / PM_ENTRY_BYTES;
> 
> > -	start_vaddr = svpfn << PAGE_SHIFT;
> > +	start_vaddr = untagged_addr(svpfn << PAGE_SHIFT);
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Arguably the line above is safe, but unfortunately it has the
> possibility of suffering from overflow.
> 
> >  	end_vaddr = mm->task_size;
> >  
> >  	/* watch out for wraparound */
> > -	if (svpfn > mm->task_size >> PAGE_SHIFT)
> > +	if (start_vaddr > mm->task_size)
> >  		start_vaddr = end_vaddr;
> 
> Overflow handling you are removing here.
> >  
> >  	/*
> 
> 
> I suspect the proper way to handle this is to move the test for
> overflow earlier so the code looks something like:
> 
> 	end_vaddr = mm->task_size;
> 
> 	src = *ppos;
> 	svpfn = src / PM_ENTRY_BYTES;
> 
> 	/* watch out for wraparound */
>         start_vaddr = end_vaddr;
> 	if (svpfn < (ULONG_MAX >> PAGE_SHIFT))
>         	start_vaddr = untagged_addr(svpfn << PAGE_SHIFT);
> 
> 	/* Ensure the address is inside the task */
> 	if (start_vaddr > mm->task_size)
>         	start_vaddr = end_vaddr;


Thanks for the comment, I will fix that in patch v2.

Miles
> 
> Eric
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ