lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9d257ca7-c823-4427-8f57-cbe53b0c3b54@collabora.com>
Date:   Sun, 19 Nov 2023 10:54:12 -0500
From:   Muhammad Usama Anjum <usama.anjum@...labora.com>
To:     Peter Xu <peterx@...hat.com>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Cc:     Muhammad Usama Anjum <usama.anjum@...labora.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        David Hildenbrand <david@...hat.com>,
        Andrei Vagin <avagin@...il.com>,
        syzbot+e94c5aaf7890901ebf9b@...kaller.appspotmail.com
Subject: Re: [PATCH 1/3] mm/pagemap: Fix ioctl(PAGEMAP_SCAN) on vma check

Hi Peter,

Thank you for taking care of it. I'm on holidays after LPC.

On 11/16/23 3:15 PM, Peter Xu wrote:
> The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided by
> userfault, however in the vma test it didn't explicitly require the vma to
> have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is set.
> 
> It means the pagemap code can now apply uffd-wp bit to a page in the vma
> even if not registered to userfaultfd at all.
> 
> Then in whatever way as long as the pte got written and page fault
> resolved, we'll apply the write bit even if uffd-wp bit is set.  We'll see
> a pte that has both UFFD_WP and WRITE bit set.  Anything later that looks
> up the pte for uffd-wp bit will trigger the warning:
> 
> WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_wp arch/x86/include/asm/pgtable.h:403 [inline]
> 
> Fix it by doing proper check over the vma attributes when
> PM_SCAN_WP_MATCHING is specified.
> 
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Reported-by: syzbot+e94c5aaf7890901ebf9b@...kaller.appspotmail.com
> Signed-off-by: Peter Xu <peterx@...hat.com>
> ---
>  fs/proc/task_mmu.c | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 51e0ec658457..e91085d79926 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -1994,15 +1994,31 @@ static int pagemap_scan_test_walk(unsigned long start, unsigned long end,
>  	struct pagemap_scan_private *p = walk->private;
>  	struct vm_area_struct *vma = walk->vma;
>  	unsigned long vma_category = 0;
> +	bool wp_allowed = userfaultfd_wp_async(vma) &&
> +	    userfaultfd_wp_use_markers(vma);
>  
> -	if (userfaultfd_wp_async(vma) && userfaultfd_wp_use_markers(vma))
> -		vma_category |= PAGE_IS_WPALLOWED;
> -	else if (p->arg.flags & PM_SCAN_CHECK_WPASYNC)
> -		return -EPERM;
> +	if (!wp_allowed) {
> +		/* User requested explicit failure over wp-async capability */
> +		if (p->arg.flags & PM_SCAN_CHECK_WPASYNC)
> +			return -EPERM;
> +		/*
> +		 * User requires wr-protect, and allows silently skipping
> +		 * unsupported vmas.
> +		 */
> +		if (p->arg.flags & PM_SCAN_WP_MATCHING)
> +			return 1;
> +		/*
> +		 * Then the request doesn't involve wr-protects at all,
> +		 * fall through to the rest checks, and allow vma walk.
> +		 */
> +	}
Very simply done. I've really liked it.

Reviewed-by: Muhammad Usama Anjum <usama.anjum@...labora.com>

>  
>  	if (vma->vm_flags & VM_PFNMAP)
>  		return 1;
>  
> +	if (wp_allowed)
> +		vma_category |= PAGE_IS_WPALLOWED;
> +
>  	if (vma->vm_flags & VM_SOFTDIRTY)
>  		vma_category |= PAGE_IS_SOFT_DIRTY;
>  

-- 
BR,
Muhammad Usama Anjum

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ