| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b35374d1-858c-393a-7b63-8816efe9b175@suse.cz>
Date: Tue, 19 Apr 2022 17:56:51 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: David Hildenbrand <david@...hat.com>, linux-kernel@...r.kernel.org
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Hugh Dickins <hughd@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
David Rientjes <rientjes@...gle.com>,
Shakeel Butt <shakeelb@...gle.com>,
John Hubbard <jhubbard@...dia.com>,
Jason Gunthorpe <jgg@...dia.com>,
Mike Kravetz <mike.kravetz@...cle.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
Yang Shi <shy828301@...il.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
Matthew Wilcox <willy@...radead.org>,
Jann Horn <jannh@...gle.com>, Michal Hocko <mhocko@...nel.org>,
Nadav Amit <namit@...are.com>, Rik van Riel <riel@...riel.com>,
Roman Gushchin <guro@...com>,
Andrea Arcangeli <aarcange@...hat.com>,
Peter Xu <peterx@...hat.com>,
Donald Dutile <ddutile@...hat.com>,
Christoph Hellwig <hch@....de>,
Oleg Nesterov <oleg@...hat.com>, Jan Kara <jack@...e.cz>,
Liang Zhang <zhangliang5@...wei.com>,
Pedro Gomes <pedrodemargomes@...il.com>,
Oded Gabbay <oded.gabbay@...il.com>, linux-mm@...ck.org
Subject: Re: [PATCH v3 15/16] mm/gup: trigger FAULT_FLAG_UNSHARE when
R/O-pinning a possibly shared anonymous page
On 3/29/22 18:04, David Hildenbrand wrote:
> Whenever GUP currently ends up taking a R/O pin on an anonymous page that
> might be shared -- mapped R/O and !PageAnonExclusive() -- any write fault
> on the page table entry will end up replacing the mapped anonymous page
> due to COW, resulting in the GUP pin no longer being consistent with the
> page actually mapped into the page table.
>
> The possible ways to deal with this situation are:
> (1) Ignore and pin -- what we do right now.
> (2) Fail to pin -- which would be rather surprising to callers and
> could break user space.
> (3) Trigger unsharing and pin the now exclusive page -- reliable R/O
> pins.
>
> Let's implement 3) because it provides the clearest semantics and
> allows for checking in unpin_user_pages() and friends for possible BUGs:
> when trying to unpin a page that's no longer exclusive, clearly
> something went very wrong and might result in memory corruptions that
> might be hard to debug. So we better have a nice way to spot such
> issues.
>
> This change implies that whenever user space *wrote* to a private
> mapping (IOW, we have an anonymous page mapped), that GUP pins will
> always remain consistent: reliable R/O GUP pins of anonymous pages.
>
> As a side note, this commit fixes the COW security issue for hugetlb with
> FOLL_PIN as documented in:
> https://lore.kernel.org/r/3ae33b08-d9ef-f846-56fb-645e3b9b4c66@redhat.com
> The vmsplice reproducer still applies, because vmsplice uses FOLL_GET
> instead of FOLL_PIN.
>
> Note that follow_huge_pmd() doesn't apply because we cannot end up in
> there with FOLL_PIN.
>
> This commit is heavily based on prototype patches by Andrea.
>
> Co-developed-by: Andrea Arcangeli <aarcange@...hat.com>
> Signed-off-by: Andrea Arcangeli <aarcange@...hat.com>
> Signed-off-by: David Hildenbrand <david@...hat.com>
Acked-by: Vlastimil Babka <vbabka@...e.cz>
Powered by blists - more mailing lists