| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Jun 2021 12:07:18 -0700 (PDT)
From: Hugh Dickins <hughd@...gle.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
cc: Hugh Dickins <hughd@...gle.com>, Ming Lin <mlin@...nel.org>,
Simon Ser <contact@...rsion.fr>, Linux-MM <linux-mm@...ck.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH 2/2] mm: adds NOSIGBUS extension for out-of-band shmem
read
On Thu, 3 Jun 2021, Linus Torvalds wrote:
> On Wed, Jun 2, 2021 at 5:46 PM Hugh Dickins <hughd@...gle.com> wrote:
> >
> > Ideally you can simply call do_anonymous_page() from __do_fault()
> > in the VM_FAULT_SIGBUS on VM_NOSIGBUS case.
>
> Heh.
>
> We're actually then back to my original patch.
>
> That one doesn't handle shared mappings (even read-only ones), for the
> simple reason that do_anonymous_page() refuses to insert anonymous
> pages into a shared mapping, and has
>
> /* File mapping without ->vm_ops ? */
> if (vma->vm_flags & VM_SHARED)
> return VM_FAULT_SIGBUS;
>
> at the very top.
>
> But yes, if we just remove that check, I think my original patch
> should actually "JustWork(tm)".
But no!
Sorry, I don't have time for this at present, so haven't looked at
your original patch.
But the point that we've arrived at, that I'm actually now fairly
happy with, is do *not* permit MAP_NOSIGBUS on MAP_SHARED mappings.
I didn't check the placement yet, easy to get wrong, but I believe
Ming Lin is now enforcing that over at the mmap() end.
On a MAP_PRIVATE mapping, the nasty opaque blob of zeroes can
claim some precedent in what already happens with COW'ed pages.
Which leaves MAP_NOSIGBUS on MAP_SHARED as currently unsupported,
perhaps never supported on anything, perhaps one day supported on
shmem; but if it's ever supported then that one will naturally be
transparent to future changes in page cache - we call that "shared".
Of course, internally, there's the in-between case of MAP_SHARED
without PROT_WRITE and without writable fd: VM_MAYSHARE without
VM_SHARED or VM_MAYWRITE. We *could* let that one accept
MAP_NOSIGBUS, but who wants to write the manpage for it?
Please stick to MAP_PRIVATE: that's good enough.
>
> I'm attaching it again, with old name and old commentary (ie that
>
> /* FIXME! We don't have a VM_NOFAULT bit */
>
> should just be replaced with that VM_NOSIGBUS bit instead, and the
> #if'ed out region should be enabled.
>
> Oh, and we need to think hard about one more case: mprotect().
>
> In particular, I think the attached patch fails horribly for the case
> of a shared mapping that starts out read-only, then inserts a zero
> page, then somebody does mprotect(MAP_WRITE), and then writes to the
> page. I haven't checked what the write protect fault handler does, but
> I think that for a shared mapping it will just make the page dirty and
> writable.
Obviously the finished patch will need to be scrutinized carefully, but
I think the mprotect() questions vanish when restricted to MAP_PRIVATE.
>
> Which would be horribly wrong for VM_NOSIGBUS.
>
> So that support infrastructure that adds MAP_NOSIGBUS, and checks that
> it is only done on a read-only mapping, also has to make sure that it
> clears the VM_MAYWRITE bit when it sets VM_NOSIGBUS.
>
> That way mprotect can't then later make it writable.
>
> Hugh, comments on this approach?
Comments above, just stick to MAP_PRIVATE.
Hugh
>
> Again: this patch is my *OLD* one, I didn't try to update it to the
> new world order. It requires
>
> - Ming's MAP_NOSIGBUS ccode
>
> - removal of that "File mapping without ->vm_ops" case
>
> - that FIXME fixed and name updated
>
> - and that VM_MAYWRITE clearing if VM_NOSIGBUS is set, to avoid the
> mprotect issue.
>
> Hmm?
>
> Linus
Powered by blists - more mailing lists