| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Sep 2021 14:56:21 -0700
From: Suren Baghdasaryan <surenb@...gle.com>
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Colin Cross <ccross@...gle.com>,
Sumit Semwal <sumit.semwal@...aro.org>,
Michal Hocko <mhocko@...e.com>,
Dave Hansen <dave.hansen@...el.com>,
Matthew Wilcox <willy@...radead.org>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
Vlastimil Babka <vbabka@...e.cz>,
Johannes Weiner <hannes@...xchg.org>,
Jonathan Corbet <corbet@....net>,
Al Viro <viro@...iv.linux.org.uk>,
Randy Dunlap <rdunlap@...radead.org>,
Kalesh Singh <kaleshsingh@...gle.com>,
Peter Xu <peterx@...hat.com>, rppt@...nel.org,
Peter Zijlstra <peterz@...radead.org>,
Catalin Marinas <catalin.marinas@....com>,
vincenzo.frascino@....com,
Chinwen Chang (張錦文)
<chinwen.chang@...iatek.com>,
Axel Rasmussen <axelrasmussen@...gle.com>,
Andrea Arcangeli <aarcange@...hat.com>,
Jann Horn <jannh@...gle.com>, apopple@...dia.com,
John Hubbard <jhubbard@...dia.com>,
Yu Zhao <yuzhao@...gle.com>, Will Deacon <will@...nel.org>,
fenghua.yu@...el.com, thunder.leizhen@...wei.com,
Hugh Dickins <hughd@...gle.com>, feng.tang@...el.com,
Jason Gunthorpe <jgg@...pe.ca>, Roman Gushchin <guro@...com>,
Thomas Gleixner <tglx@...utronix.de>, krisman@...labora.com,
chris.hyser@...cle.com, Peter Collingbourne <pcc@...gle.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Jens Axboe <axboe@...nel.dk>, legion@...nel.org,
Rolf Eike Beer <eb@...ix.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Muchun Song <songmuchun@...edance.com>,
Viresh Kumar <viresh.kumar@...aro.org>,
Thomas Cedeno <thomascedeno@...gle.com>, sashal@...nel.org,
cxfcosmos@...il.com, Rasmus Villemoes <linux@...musvillemoes.dk>,
LKML <linux-kernel@...r.kernel.org>,
linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org,
linux-mm <linux-mm@...ck.org>,
kernel-team <kernel-team@...roid.com>
Subject: Re: [PATCH v9 2/3] mm: add a field to store names for private
anonymous memory
On Fri, Sep 3, 2021 at 2:47 PM Kees Cook <keescook@...omium.org> wrote:
>
> (Sorry, a few more things jumped out at me when I looked again...)
>
> On Thu, Sep 02, 2021 at 04:18:12PM -0700, Suren Baghdasaryan wrote:
> > [...]
> > diff --git a/kernel/sys.c b/kernel/sys.c
> > index 72c7639e3c98..25118902a376 100644
> > --- a/kernel/sys.c
> > +++ b/kernel/sys.c
> > @@ -2299,6 +2299,64 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,
> >
> > #define PR_IO_FLUSHER (PF_MEMALLOC_NOIO | PF_LOCAL_THROTTLE)
> >
> > +#ifdef CONFIG_MMU
> > +
> > +#define ANON_VMA_NAME_MAX_LEN 256
> > +
> > +static inline bool is_valid_name_char(char ch)
> > +{
> > + /* printable ascii characters, except [ \ ] */
> > + return (ch > 0x1f && ch < 0x5b) || (ch > 0x5d && ch < 0x7f);
> > +}
>
> In the back of my mind, I feel like disallowing backtick would be nice,
> but then if $, (, and ) are allowed, it doesn't matter, and that seems
> too limiting. :)
It's not used by the only current user (Android) and we can always
allow more chars later. However going the other direction and
disallowing some of them I think would be harder (need to make sure
nobody uses them). WDYT if we keep it stricter and relax if needed?
>
> > +
> > +static int prctl_set_vma(unsigned long opt, unsigned long addr,
> > + unsigned long size, unsigned long arg)
> > +{
> > + struct mm_struct *mm = current->mm;
> > + const char __user *uname;
> > + char *name, *pch;
> > + int error;
> > +
> > + switch (opt) {
> > + case PR_SET_VMA_ANON_NAME:
> > + uname = (const char __user *)arg;
> > + if (!uname) {
> > + /* Reset the name */
> > + name = NULL;
> > + goto set_name;
> > + }
> > +
> > + name = strndup_user(uname, ANON_VMA_NAME_MAX_LEN);
> > +
> > + if (IS_ERR(name))
> > + return PTR_ERR(name);
> > +
> > + for (pch = name; *pch != '\0'; pch++) {
> > + if (!is_valid_name_char(*pch)) {
> > + kfree(name);
> > + return -EINVAL;
> > + }
> > + }
> > +set_name:
> > + mmap_write_lock(mm);
> > + error = madvise_set_anon_name(mm, addr, size, name);
> > + mmap_write_unlock(mm);
> > + kfree(name);
> > + break;
>
> This is a weird construct with a needless goto. Why not:
>
> switch (opt) {
> case PR_SET_VMA_ANON_NAME:
> uname = (const char __user *)arg;
> if (uname) {
> name = strndup_user(uname, ANON_VMA_NAME_MAX_LEN);
> if (IS_ERR(name))
> return PTR_ERR(name);
>
> for (pch = name; *pch != '\0'; pch++) {
> if (!is_valid_name_char(*pch)) {
> kfree(name);
> return -EINVAL;
> }
> }
> } else {
> /* Reset the name */
> name = NULL;
> }
> mmap_write_lock(mm);
> error = madvise_set_anon_name(mm, addr, size, name);
> mmap_write_unlock(mm);
> kfree(name);
> break;
Yeah, I was contemplating one way or the other (less indents vs clear
flow) and you convinced me :) Will change in the next rev.
Thanks for the review!
>
>
> --
> Kees Cook
Powered by blists - more mailing lists