lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 14 Dec 2022 11:22:39 +0100
From:   David Hildenbrand <david@...hat.com>
To:     Hans de Goede <hdegoede@...hat.com>
Cc:     "linux-mm@...ck.org" <linux-mm@...ck.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Sakari Ailus <sakari.ailus@...ux.intel.com>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Subject: Dubious usage of VM_SHARED in atomisp_fops.c

Hi,

going over all VM_SHARED and VM_MAYSHARE user in the kernel, I stumbled 
over the following dubious code in 
drivers/staging/media/atomisp/pci/atomisp_fops.c:


if (!(vma->vm_flags & (VM_WRITE | VM_READ)))
	return -EACCES;

...

if (!(vma->vm_flags & VM_SHARED)) {
	/* Map private buffer.
	 * Set VM_SHARED to the flags since we need
	 * to map the buffer page by page.
	 * Without VM_SHARED, remap_pfn_range() treats
	 * this kind of mapping as invalid.
	 */
	vma->vm_flags |= VM_SHARED;
	ret = hmm_mmap(vma, vma->vm_pgoff << PAGE_SHIFT);
	...
}


We're converting a writable MAP_PRIVATE mapping ("COW mapping") into a 
writable MAP_SHARED mapping, to hack around the is_cow_mapping() check 
in remap_pfn_range_notrack().

We're not even setting VM_MAYSHARE and turn the mapping silently into 
something with completely different semantics.


That code has to go.


One approach would be to reject such mappings (no idea if user space 
relies on private mappings), the other one would be to remove this 
driver. Judging that the driver already was marked broken in 2020 
(ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")), 
maybe it's time for the driver to go.

Thoughts?

-- 
Thanks,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ