lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b1b80402-2c90-8006-bcf8-716e6ef719c2@suse.cz>
Date:   Mon, 5 Dec 2022 23:13:12 +0100
From:   Vlastimil Babka <vbabka@...e.cz>
To:     Jann Horn <jannh@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     Liam Howlett <liam.howlett@...cle.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Yu Zhao <yuzhao@...gle.com>, Jason Donenfeld <Jason@...c4.com>,
        Matthew Wilcox <willy@...radead.org>,
        SeongJae Park <sj@...nel.org>
Subject: Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect
 VMAs

On 12/5/22 22:55, Jann Horn wrote:
> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@...ux-foundation.org> wrote:
>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@...cle.com> wrote:
>> > Add more sanity checks to the VMA that do_brk_flags() will expand.
>> > Ensure the VMA matches basic merge requirements within the function
>> > before calling can_vma_merge_after().
>>
>> I't unclear what's actually being fixed here.
>>
>> Why do you feel we need the above changes?
>>
>> > Drop the duplicate checks from vm_brk_flags() since they will be
>> > enforced later.
>> >
>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
>>
>> Fixes in what way?  Removing the duplicate checks?
> 
> The old code would expand file VMAs on brk(), which is functionally
> wrong and also dangerous in terms of locking because the brk() path
> isn't designed for file VMAs and therefore doesn't lock the file
> mapping. Checking can_vma_merge_after() ensures that new anonymous
> VMAs can't be merged into file VMAs.
> 
> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
> .

I guess the point is that if we fix it still within 6.1, we don't have to
devise how exactly this is exploitable, but due to the insufficient locking
it most likely is, right?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ