lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cd488979-d257-42b9-937f-470cc3c57f5e@lucifer.local>
Date:   Mon, 24 Apr 2023 15:29:57 +0100
From:   Lorenzo Stoakes <lstoakes@...il.com>
To:     Jason Gunthorpe <jgg@...dia.com>
Cc:     Christoph Hellwig <hch@...radead.org>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org,
        Andrew Morton <akpm@...ux-foundation.org>,
        Jens Axboe <axboe@...nel.dk>,
        Matthew Wilcox <willy@...radead.org>,
        Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>,
        Leon Romanovsky <leon@...nel.org>,
        Christian Benvenuti <benve@...co.com>,
        Nelson Escobar <neescoba@...co.com>,
        Bernard Metzler <bmt@...ich.ibm.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Mark Rutland <mark.rutland@....com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Jiri Olsa <jolsa@...nel.org>,
        Namhyung Kim <namhyung@...nel.org>,
        Ian Rogers <irogers@...gle.com>,
        Adrian Hunter <adrian.hunter@...el.com>,
        Bjorn Topel <bjorn@...nel.org>,
        Magnus Karlsson <magnus.karlsson@...el.com>,
        Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
        Jonathan Lemon <jonathan.lemon@...il.com>,
        "David S . Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Christian Brauner <brauner@...nel.org>,
        Richard Cochran <richardcochran@...il.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        John Fastabend <john.fastabend@...il.com>,
        linux-fsdevel@...r.kernel.org, linux-perf-users@...r.kernel.org,
        netdev@...r.kernel.org, bpf@...r.kernel.org,
        Oleg Nesterov <oleg@...hat.com>
Subject: Re: [PATCH v2] mm/gup: disallow GUP writing to file-backed mappings
 by default

On Mon, Apr 24, 2023 at 10:39:25AM -0300, Jason Gunthorpe wrote:
> On Mon, Apr 24, 2023 at 01:38:49PM +0100, Lorenzo Stoakes wrote:
>
> > I was being fairly conservative in that list, though we certainly need to
> > set the flag for /proc/$pid/mem and ptrace to avoid breaking this
> > functionality (I observed breakpoints breaking without it which obviously
> > is a no go :). I'm not sure if there's a more general way we could check
> > for this though?
>
> More broadly we should make sure these usages of GUP safe somehow so
> that it can reliably write to those types of pages without breaking
> the current FS contract..
>
> I forget exactly, but IIRC, don't you have to hold some kind of page
> spinlock while writing to the page memory?
>

I think perhaps you're thinking of the mm->mmap_lock? Which will be held
for the FOLL_GET cases and simply prevent the VMA from disappearing below
us but not do much else.

> So, users that do this, or can be fixed to do this, can get file
> backed pages. It suggests that a flag name is more like
> FOLL_CALLER_USES_FILE_WRITE_LOCKING
>

As stated above, I'm not sure what locking you're referring to, but seems
to me that FOLL_GET already implies what you're thinking?

I wonder whether we should do this check purely for FOLL_PIN to be honest?
As this indicates medium to long-term access without mmap_lock held. This
would exclude the /proc/$pid/mem and ptrace paths which use gup_remote().

That and a very specific use of uprobes are the only places that use
FOLL_GET in this instance and each of them are careful in any case to
handle setting the dirty page flag.

All PUP cases that do not specify FOLL_LONGTERM also do this, so we could
atually go so far as to reduce the patch to simply performing the
vma_wants_writenotify() check if (FOLL_PIN | FOLL_LONGTERM) is specified,
which covers the io_uring case.

Alternatively if we wanted to be safer, we could add a FOLL_ALLOW_FILE_PIN
that is checked on FOLL_PIN and ignored on FOLL_LONGTERM?

> > I wouldn't be totally opposed to dropping it for RDMA too, because I
> > suspect accessing file-backed mappings for that is pretty iffy.
> >
> > Do you have a sense of which in the list you feel could be pared back?
>
> Anything using FOLL_LONGTERM should not set the flag, GUP should even
> block the combination.

OK

>
> And we need to have in mind that the flag indicates the code is
> buggy, so if you set it then we should understand how is that caller
> expected to be fixed.
>
> Jason

I think we are working towards a much simpler solution in any case!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ