lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20221205172718.vewypps6pe2qev4c@revolver>
Date:   Mon, 5 Dec 2022 17:27:35 +0000
From:   Liam Howlett <liam.howlett@...cle.com>
To:     Jann Horn <jannh@...gle.com>
CC:     "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Yu Zhao <yuzhao@...gle.com>, Jason Donenfeld <Jason@...c4.com>,
        Matthew Wilcox <willy@...radead.org>,
        SeongJae Park <sj@...nel.org>, Vlastimil Babka <vbabka@...e.cz>
Subject: Re: [PATCH] mmap: Fix do_brk_flags() modifying obviously incorrect
 VMAs

* Jann Horn <jannh@...gle.com> [221205 12:16]:
> On Mon, Dec 5, 2022 at 5:53 PM Liam Howlett <liam.howlett@...cle.com> wrote:
> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> > Ensure the VMA matches basic merge requirements within the function
> > before calling can_vma_merge_after().
> >
> > Drop the duplicate checks from vm_brk_flags() since they will be
> > enforced later.
> 
> Looks good to me, with one note:
> 
> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
> > Suggested-by: Jann Horn <jannh@...gle.com>
> > Signed-off-by: Liam R. Howlett <Liam.Howlett@...cle.com>
> > ---
> >  mm/mmap.c | 11 +++--------
> >  1 file changed, 3 insertions(+), 8 deletions(-)
> >
> > diff --git a/mm/mmap.c b/mm/mmap.c
> > index a5eb2f175da0..41a2c42593e8 100644
> > --- a/mm/mmap.c
> > +++ b/mm/mmap.c
> > @@ -2946,9 +2946,9 @@ static int do_brk_flags(struct ma_state *mas, struct vm_area_struct *vma,
> >          * Expand the existing vma if possible; Note that singular lists do not
> >          * occur after forking, so the expand will only happen on new VMAs.
> >          */
> > -       if (vma &&
> > -           (!vma->anon_vma || list_is_singular(&vma->anon_vma_chain)) &&
> > -           ((vma->vm_flags & ~VM_SOFTDIRTY) == flags)) {
> > +       if (vma && vma->vm_end == addr && !vma_policy(vma) && vma->anon_vma &&
> 
> Why the "vma->anon_vma" check here? The old code was checking that the
> existing VMA is not attached to more than one anon_vma; but the new
> code instead checks that the existing VMA is attached to at least one
> anon_vma, and then is_mergeable_anon_vma() checks that the VMA is not
> attached to more than one anon_vma, so in effect the VMA has to be
> attached to exactly one anon_vma. Is that intentional?

That was not intentional.

> 
> If not, maybe delete the "vma->anon_vma &&" - can_vma_merge_after()
> already does the equivalent check of the old "(!vma->anon_vma ||
> list_is_singular(&vma->anon_vma_chain))".

Yes, I will do that and send a v2.

> 
> > +           can_vma_merge_after(vma, flags, NULL, NULL,
> > +                               addr >> PAGE_SHIFT, NULL_VM_UFFD_CTX, NULL)) {
> >                 mas_set_range(mas, vma->vm_start, addr + len - 1);
> >                 if (mas_preallocate(mas, vma, GFP_KERNEL))
> >                         return -ENOMEM;
> > @@ -3035,11 +3035,6 @@ int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
> >                 goto munmap_failed;
> >
> >         vma = mas_prev(&mas, 0);
> > -       if (!vma || vma->vm_end != addr || vma_policy(vma) ||
> > -           !can_vma_merge_after(vma, flags, NULL, NULL,
> > -                                addr >> PAGE_SHIFT, NULL_VM_UFFD_CTX, NULL))
> > -               vma = NULL;
> > -
> >         ret = do_brk_flags(&mas, vma, addr, len, flags);
> >         populate = ((mm->def_flags & VM_LOCKED) != 0);
> >         mmap_write_unlock(mm);
> > --
> > 2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ