lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0fa49d1f-a05d-bdb1-df60-800ff5999d8e@redhat.com>
Date:   Tue, 3 May 2022 20:35:59 +0200
From:   David Hildenbrand <david@...hat.com>
To:     Andrew Morton <akpm@...ux-foundation.org>,
        liusongtang <liusongtang@...wei.com>
Cc:     linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        nixiaoming@...wei.com, young.liuyang@...wei.com,
        wangkefeng@...wei.com
Subject: Re: [PATCH] mm/mprotect: reduce Committed_AS if memory protection is
 changed to PROT_NONE

On 26.04.22 22:34, Andrew Morton wrote:
> On Tue, 26 Apr 2022 19:27:05 +0800 liusongtang <liusongtang@...wei.com> wrote:
> 
>> If PROT_WRITE is set, the size of vm area will be added to Committed_AS.
>> However, if memory protection is changed to PROT_NONE,
>> the corresponding physical memory will not be used, but Committed_AS still
>> count the size of the PROT_NONE memory.
>>
>> This patch reduce Committed_AS and free the corresponding memory if
>> memory protection is changed to PROT_NONE.
>>
>> ...
>>
>> --- a/mm/mprotect.c
>> +++ b/mm/mprotect.c
>> @@ -497,6 +497,12 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
>>  	}
>>  
>>  success:
>> +	if ((newflags & (VM_READ | VM_WRITE | VM_EXEC | VM_LOCKED | VM_ACCOUNT)) == VM_ACCOUNT) {
>> +		zap_page_range(vma, start, end - start);
>> +		newflags &= ~VM_ACCOUNT;
>> +		vm_unacct_memory((end - start) >> PAGE_SHIFT);
>> +	}
>> +
>>  	/*
>>  	 * vm_flags and vm_page_prot are protected by the mmap_lock
>>  	 * held in write mode.
> 
> Surprised.  If userspace does mprotect(addr, len.  PROT_NONE) then
> mprotect(addr, len.  PROT_READ), what is now at *addr?  Zeroes?
> 

I don't think so. I don't see any pages getting zapped at my quick test
(unless it's wrong) shows that data is maintained. Further, it could
violate POSIX semantics.

So this patch is wrong, there might have been anonymous pages populated.

-- 
Thanks,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ