lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20230517132321.2466ef1ccde9e8d05436e3f2@linux-foundation.org>
Date:   Wed, 17 May 2023 13:23:21 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Peter Xu <peterx@...hat.com>
Cc:     linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        Mike Rapoport <rppt@...nel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        "Liam R . Howlett" <Liam.Howlett@...cle.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Mark Rutland <mark.rutland@....com>,
        Lorenzo Stoakes <lstoakes@...il.com>,
        linux-stable <stable@...r.kernel.org>
Subject: Re: [PATCH v2 1/2] mm/uffd: Fix vma operation where start addr cuts
 part of vma

On Wed, 17 May 2023 15:09:15 -0400 Peter Xu <peterx@...hat.com> wrote:

> It seems vma merging with uffd paths is broken with either
> register/unregister, where right now we can feed wrong parameters to
> vma_merge() and it's found by recent patch which moved asserts upwards in
> vma_merge() by Lorenzo Stoakes:
> 
> https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
> 
> It's possible that "start" is contained within vma but not clamped to its
> start.  We need to convert this into either "cannot merge" case or "can
> merge" case 4 which permits subdivision of prev by assigning vma to
> prev. As we loop, each subsequent VMA will be clamped to the start.
> 
> This patch will eliminate the report and make sure vma_merge() calls will
> become legal again.
> 
> One thing to mention is that the "Fixes: 29417d292bd0" below is there only
> to help explain where the warning can start to trigger, the real commit to
> fix should be 69dbe6daf104.  Commit 29417d292bd0 helps us to identify the
> issue, but unfortunately we may want to keep it in Fixes too just to ease
> kernel backporters for easier tracking.
> 
> Cc: Lorenzo Stoakes <lstoakes@...il.com>
> Cc: Mike Rapoport (IBM) <rppt@...nel.org>
> Cc: Liam R. Howlett <Liam.Howlett@...cle.com>
> Reported-by: Mark Rutland <mark.rutland@....com>
> Reviewed-by: Lorenzo Stoakes <lstoakes@...il.com>
> Reviewed-by: Liam R. Howlett <Liam.Howlett@...cle.com>
> Fixes: 29417d292bd0 ("mm/mmap/vma_merge: always check invariants")
> Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs")

I don't know how -stable maintainers are to handle more than a single
Fixes: target, given that Fixes: means "kernels which have that patch
need this one".  Can we narrow this down to a single commit for this
purpose?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ