[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG48ez2trF-V658GpXC5u2N54omeZ0w_T1XTTcrtg+w0PEMeDw@mail.gmail.com>
Date: Mon, 5 Dec 2022 23:22:44 +0100
From: Jann Horn <jannh@...gle.com>
To: Vlastimil Babka <vbabka@...e.cz>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Liam Howlett <liam.howlett@...cle.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Yu Zhao <yuzhao@...gle.com>, Jason Donenfeld <Jason@...c4.com>,
Matthew Wilcox <willy@...radead.org>,
SeongJae Park <sj@...nel.org>
Subject: Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
On Mon, Dec 5, 2022 at 11:13 PM Vlastimil Babka <vbabka@...e.cz> wrote:
> On 12/5/22 22:55, Jann Horn wrote:
> > On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@...ux-foundation.org> wrote:
> >> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@...cle.com> wrote:
> >> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> >> > Ensure the VMA matches basic merge requirements within the function
> >> > before calling can_vma_merge_after().
> >>
> >> I't unclear what's actually being fixed here.
> >>
> >> Why do you feel we need the above changes?
> >>
> >> > Drop the duplicate checks from vm_brk_flags() since they will be
> >> > enforced later.
> >> >
> >> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
> >>
> >> Fixes in what way? Removing the duplicate checks?
> >
> > The old code would expand file VMAs on brk(), which is functionally
> > wrong and also dangerous in terms of locking because the brk() path
> > isn't designed for file VMAs and therefore doesn't lock the file
> > mapping. Checking can_vma_merge_after() ensures that new anonymous
> > VMAs can't be merged into file VMAs.
> >
> > See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
> > .
>
> I guess the point is that if we fix it still within 6.1, we don't have to
> devise how exactly this is exploitable,
Yeah, that was sort of my thinking.
> but due to the insufficient locking
> it most likely is, right?
To be honest, I don't really know how bad this is - pretty much the
only thing we're doing here is to change the VMA end. I don't know if
that messes up the address_space's interval tree or something?
I have no clue how that data structure looks.
Powered by blists - more mailing lists