| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Dec 2022 17:27:35 +0000
From: Liam Howlett <liam.howlett@...cle.com>
To: Jann Horn <jannh@...gle.com>
CC: "linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Yu Zhao <yuzhao@...gle.com>, Jason Donenfeld <Jason@...c4.com>,
Matthew Wilcox <willy@...radead.org>,
SeongJae Park <sj@...nel.org>, Vlastimil Babka <vbabka@...e.cz>
Subject: Re: [PATCH] mmap: Fix do_brk_flags() modifying obviously incorrect
VMAs
* Jann Horn <jannh@...gle.com> [221205 12:16]:
> On Mon, Dec 5, 2022 at 5:53 PM Liam Howlett <liam.howlett@...cle.com> wrote:
> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> > Ensure the VMA matches basic merge requirements within the function
> > before calling can_vma_merge_after().
> >
> > Drop the duplicate checks from vm_brk_flags() since they will be
> > enforced later.
>
> Looks good to me, with one note:
>
> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
> > Suggested-by: Jann Horn <jannh@...gle.com>
> > Signed-off-by: Liam R. Howlett <Liam.Howlett@...cle.com>
> > ---
> > mm/mmap.c | 11 +++--------
> > 1 file changed, 3 insertions(+), 8 deletions(-)
> >
> > diff --git a/mm/mmap.c b/mm/mmap.c
> > index a5eb2f175da0..41a2c42593e8 100644
> > --- a/mm/mmap.c
> > +++ b/mm/mmap.c
> > @@ -2946,9 +2946,9 @@ static int do_brk_flags(struct ma_state *mas, struct vm_area_struct *vma,
> > * Expand the existing vma if possible; Note that singular lists do not
> > * occur after forking, so the expand will only happen on new VMAs.
> > */
> > - if (vma &&
> > - (!vma->anon_vma || list_is_singular(&vma->anon_vma_chain)) &&
> > - ((vma->vm_flags & ~VM_SOFTDIRTY) == flags)) {
> > + if (vma && vma->vm_end == addr && !vma_policy(vma) && vma->anon_vma &&
>
> Why the "vma->anon_vma" check here? The old code was checking that the
> existing VMA is not attached to more than one anon_vma; but the new
> code instead checks that the existing VMA is attached to at least one
> anon_vma, and then is_mergeable_anon_vma() checks that the VMA is not
> attached to more than one anon_vma, so in effect the VMA has to be
> attached to exactly one anon_vma. Is that intentional?
That was not intentional.
>
> If not, maybe delete the "vma->anon_vma &&" - can_vma_merge_after()
> already does the equivalent check of the old "(!vma->anon_vma ||
> list_is_singular(&vma->anon_vma_chain))".
Yes, I will do that and send a v2.
>
> > + can_vma_merge_after(vma, flags, NULL, NULL,
> > + addr >> PAGE_SHIFT, NULL_VM_UFFD_CTX, NULL)) {
> > mas_set_range(mas, vma->vm_start, addr + len - 1);
> > if (mas_preallocate(mas, vma, GFP_KERNEL))
> > return -ENOMEM;
> > @@ -3035,11 +3035,6 @@ int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
> > goto munmap_failed;
> >
> > vma = mas_prev(&mas, 0);
> > - if (!vma || vma->vm_end != addr || vma_policy(vma) ||
> > - !can_vma_merge_after(vma, flags, NULL, NULL,
> > - addr >> PAGE_SHIFT, NULL_VM_UFFD_CTX, NULL))
> > - vma = NULL;
> > -
> > ret = do_brk_flags(&mas, vma, addr, len, flags);
> > populate = ((mm->def_flags & VM_LOCKED) != 0);
> > mmap_write_unlock(mm);
> > --
> > 2.35.1
Powered by blists - more mailing lists