| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9d257ca7-c823-4427-8f57-cbe53b0c3b54@collabora.com>
Date: Sun, 19 Nov 2023 10:54:12 -0500
From: Muhammad Usama Anjum <usama.anjum@...labora.com>
To: Peter Xu <peterx@...hat.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>,
Andrew Morton <akpm@...ux-foundation.org>,
David Hildenbrand <david@...hat.com>,
Andrei Vagin <avagin@...il.com>,
syzbot+e94c5aaf7890901ebf9b@...kaller.appspotmail.com
Subject: Re: [PATCH 1/3] mm/pagemap: Fix ioctl(PAGEMAP_SCAN) on vma check
Hi Peter,
Thank you for taking care of it. I'm on holidays after LPC.
On 11/16/23 3:15 PM, Peter Xu wrote:
> The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided by
> userfault, however in the vma test it didn't explicitly require the vma to
> have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is set.
>
> It means the pagemap code can now apply uffd-wp bit to a page in the vma
> even if not registered to userfaultfd at all.
>
> Then in whatever way as long as the pte got written and page fault
> resolved, we'll apply the write bit even if uffd-wp bit is set. We'll see
> a pte that has both UFFD_WP and WRITE bit set. Anything later that looks
> up the pte for uffd-wp bit will trigger the warning:
>
> WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_wp arch/x86/include/asm/pgtable.h:403 [inline]
>
> Fix it by doing proper check over the vma attributes when
> PM_SCAN_WP_MATCHING is specified.
>
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Reported-by: syzbot+e94c5aaf7890901ebf9b@...kaller.appspotmail.com
> Signed-off-by: Peter Xu <peterx@...hat.com>
> ---
> fs/proc/task_mmu.c | 24 ++++++++++++++++++++----
> 1 file changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 51e0ec658457..e91085d79926 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -1994,15 +1994,31 @@ static int pagemap_scan_test_walk(unsigned long start, unsigned long end,
> struct pagemap_scan_private *p = walk->private;
> struct vm_area_struct *vma = walk->vma;
> unsigned long vma_category = 0;
> + bool wp_allowed = userfaultfd_wp_async(vma) &&
> + userfaultfd_wp_use_markers(vma);
>
> - if (userfaultfd_wp_async(vma) && userfaultfd_wp_use_markers(vma))
> - vma_category |= PAGE_IS_WPALLOWED;
> - else if (p->arg.flags & PM_SCAN_CHECK_WPASYNC)
> - return -EPERM;
> + if (!wp_allowed) {
> + /* User requested explicit failure over wp-async capability */
> + if (p->arg.flags & PM_SCAN_CHECK_WPASYNC)
> + return -EPERM;
> + /*
> + * User requires wr-protect, and allows silently skipping
> + * unsupported vmas.
> + */
> + if (p->arg.flags & PM_SCAN_WP_MATCHING)
> + return 1;
> + /*
> + * Then the request doesn't involve wr-protects at all,
> + * fall through to the rest checks, and allow vma walk.
> + */
> + }
Very simply done. I've really liked it.
Reviewed-by: Muhammad Usama Anjum <usama.anjum@...labora.com>
>
> if (vma->vm_flags & VM_PFNMAP)
> return 1;
>
> + if (wp_allowed)
> + vma_category |= PAGE_IS_WPALLOWED;
> +
> if (vma->vm_flags & VM_SOFTDIRTY)
> vma_category |= PAGE_IS_SOFT_DIRTY;
>
--
BR,
Muhammad Usama Anjum
Powered by blists - more mailing lists