lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231017090815.1067790-7-jeffxu@chromium.org>
Date:   Tue, 17 Oct 2023 09:08:13 +0000
From:   jeffxu@...omium.org
To:     akpm@...ux-foundation.org, keescook@...omium.org, jannh@...gle.com,
        sroettger@...gle.com, willy@...radead.org,
        gregkh@...uxfoundation.org, torvalds@...ux-foundation.org
Cc:     jeffxu@...gle.com, jorgelo@...omium.org, groeck@...omium.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-mm@...ck.org, surenb@...gle.com, alex.sierra@....com,
        apopple@...dia.com, aneesh.kumar@...ux.ibm.com,
        axelrasmussen@...gle.com, ben@...adent.org.uk,
        catalin.marinas@....com, david@...hat.com, dwmw@...zon.co.uk,
        ying.huang@...el.com, hughd@...gle.com, joey.gouly@....com,
        corbet@....net, wangkefeng.wang@...wei.com,
        Liam.Howlett@...cle.com, lstoakes@...il.com, mawupeng1@...wei.com,
        linmiaohe@...wei.com, namit@...are.com, peterx@...hat.com,
        peterz@...radead.org, ryan.roberts@....com, shr@...kernel.io,
        vbabka@...e.cz, xiujianfeng@...wei.com, yu.ma@...el.com,
        zhangpeng362@...wei.com, dave.hansen@...el.com, luto@...nel.org,
        linux-hardening@...r.kernel.org
Subject: [RFC PATCH v2 6/8] mseal: Check seal flag for mremap(2)

From: Jeff Xu <jeffxu@...gle.com>

mremap(2) can shrink/expand a VMA, or move a VMA to a fixed
address and overwriting or existing VMA. Sealing will
prevent unintended mremap(2) call.

What this patch does:
When a mremap(2) is invoked, if one of its VMAs has MM_SEAL_MREMAP
set from previous mseal(2) call, this mremap(2) will fail, without
any VMA modified.

This patch is based on following:
1. At syscall entry point: SYSCALL_DEFINE5(mremap,...)
There are two cases:
a. going into mremap_to().
b. not going into mremap_to().

2. For mremap_to() case.
Since mremap_to() is called only from SYSCALL_DEFINE5(mremap,..),
omit changing signature of mremap_to(), i.e. not passing
checkSeals flag.
In mremap_to(), it calls can_modify_mm() for src address and
dst address (when MREMAP_FIXED is used), before any update is
made to the VMAs.

3. For non mremap_to() case.
It is still part of SYSCALL_DEFINE5(mremap,...).
It calls can_modify_mm() to check sealing in the src address,
before any update is made to src VMAs.
Check for dest address is not needed, because dest memory is
allocated in current mremap(2) call.

Signed-off-by: Jeff Xu <jeffxu@...gle.com>
---
 mm/mremap.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/mm/mremap.c b/mm/mremap.c
index ac363937f8c4..691fc32d37e4 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -836,7 +836,27 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
 	if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
 		return -ENOMEM;
 
+	/*
+	 * Check src address for sealing.
+	 *
+	 * Note: mremap_to() currently called from one place:
+	 * SYSCALL_DEFINE4(pkey_mprotect, ...)
+	 * and not in any other places.
+	 * Therefore, omit changing the signature of mremap_to()
+	 * Otherwise, we might need to add checkSeals and pass it
+	 * from all callers of mremap_to().
+	 */
+	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP))
+		return -EACCES;
+
 	if (flags & MREMAP_FIXED) {
+		/*
+		 * Check dest address for sealing.
+		 */
+		if (!can_modify_mm(mm, new_addr, new_addr + new_len,
+				   MM_SEAL_MREMAP))
+			return -EACCES;
+
 		ret = do_munmap(mm, new_addr, new_len, uf_unmap_early);
 		if (ret)
 			goto out;
@@ -995,6 +1015,11 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
 		goto out;
 	}
 
+	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP)) {
+		ret = -EACCES;
+		goto out;
+	}
+
 	/*
 	 * Always allow a shrinking remap: that just unmaps
 	 * the unnecessary pages..
-- 
2.42.0.655.g421f12c284-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ