lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220720215319.87839-1-peterx@redhat.com>
Date:   Wed, 20 Jul 2022 17:53:19 -0400
From:   Peter Xu <peterx@...hat.com>
To:     linux-mm@...ck.org, linux-kernel@...r.kernel.org
Cc:     peterx@...hat.com, David Hildenbrand <david@...hat.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH] mm/mprotect: Fix soft-dirty check in can_change_pte_writable()

The check wanted to make sure when soft-dirty tracking is enabled we won't
grant write bit by accident, as a page fault is needed for dirty tracking.
The intention is correct but we didn't check it right because VM_SOFTDIRTY
set actually means soft-dirty tracking disabled.  Fix it.

It wasn't a bug for a long time because we used to only optimize the write
bit settings in change_pte_range() for page caches, and since we've got a
higher level check in vma_wants_writenotify(), we will never set the bit
MM_CP_TRY_CHANGE_WRITABLE for soft-dirty enabled page caches, hence even if
we checked with the wrong value of VM_SOFTDIRTY in change_pte_range() it'll
just be an no-op.  Functionally it was still correct, even if cpu cycles
wasted.

However after the recent work of anonymous page optimization on exclusive
pages we'll start to make it wrong because anonymous page does not require
the check in vma_wants_writenotify() hence it'll suffer from the wrong
check here in can_change_pte_writable().

We can easily verify this with any exclusive anonymous page, like program
below:

=======8<======

unsigned int psize;
char *page;

uint64_t pagemap_read_vaddr(int fd, void *vaddr)
{
    uint64_t value;
    int ret;

    ret = pread(fd, &value, sizeof(uint64_t),
                ((uint64_t)vaddr >> 12) * sizeof(uint64_t));
    assert(ret == sizeof(uint64_t));

    return value;
}

void clear_refs_write(void)
{
    int fd = open("/proc/self/clear_refs", O_RDWR);

    assert(fd >= 0);
    write(fd, "4", 2);
    close(fd);
}

        bool dirty = pagemap_read_vaddr(fd, page) & PM_SOFT_DIRTY;      \
        if (dirty != expect) {                                          \
            printf("ERROR: %s, soft-dirty=%d (expect: %d)\n", str, dirty, expect); \
            exit(-1);                                                   \
        }                                                               \
} while (0)

int main(void)
{
    int fd = open("/proc/self/pagemap", O_RDONLY);

    assert(fd >= 0);
    psize = getpagesize();
    page = mmap(NULL, psize, PROT_READ|PROT_WRITE,
                MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
    assert(page != MAP_FAILED);

    *page = 1;
    check_soft_dirty("Just faulted in page", 1);
    clear_refs_write();
    check_soft_dirty("Clear_refs written", 0);
    mprotect(page, psize, PROT_READ);
    check_soft_dirty("Marked RO", 0);
    mprotect(page, psize, PROT_READ|PROT_WRITE);
    check_soft_dirty("Marked RW", 0);
    *page = 2;
    check_soft_dirty("Wrote page again", 1);

    munmap(page, psize);
    close(fd);
    printf("Test passed.\n");

    return 0;
}
=======8<======

So even if commit 64fe24a3e05e kept the old behavior and didn't attempt to
change the behavior here, the bug will only be able to be triggered after
commit 64fe24a3e05e because only anonymous page will suffer from it.

Fixes: 64fe24a3e05e ("mm/mprotect: try avoiding write faults for exclusive anonymous pages when changing protection")
Signed-off-by: Peter Xu <peterx@...hat.com>
---
 mm/mprotect.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/mm/mprotect.c b/mm/mprotect.c
index 0420c3ed936c..804807ab14e6 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -48,8 +48,11 @@ static inline bool can_change_pte_writable(struct vm_area_struct *vma,
 	if (pte_protnone(pte) || !pte_dirty(pte))
 		return false;
 
-	/* Do we need write faults for softdirty tracking? */
-	if ((vma->vm_flags & VM_SOFTDIRTY) && !pte_soft_dirty(pte))
+	/*
+	 * Do we need write faults for softdirty tracking?  Note,
+	 * soft-dirty is enabled when !VM_SOFTDIRTY.
+	 */
+	if (!(vma->vm_flags & VM_SOFTDIRTY) && !pte_soft_dirty(pte))
 		return false;
 
 	/* Do we need write faults for uffd-wp tracking? */
-- 
2.32.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ