lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ZbIroGI1kADrOTUB@kernel.org>
Date: Thu, 25 Jan 2024 11:36:32 +0200
From: Mike Rapoport <rppt@...nel.org>
To: Axel Rasmussen <axelrasmussen@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
	Lokesh Gidra <lokeshgidra@...gle.com>,
	linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org, selinux@...r.kernel.org,
	surenb@...gle.com, kernel-team@...roid.com, aarcange@...hat.com,
	peterx@...hat.com, david@...hat.com, bgeffon@...gle.com,
	willy@...radead.org, jannh@...gle.com, kaleshsingh@...gle.com,
	ngeoffray@...gle.com
Subject: Re: [PATCH] userfaultfd: fix mmap_changing checking in
 mfill_atomic_hugetlb

On Thu, Jan 18, 2024 at 03:17:14PM -0800, Axel Rasmussen wrote:
> 
> On Thu, Jan 18, 2024 at 1:59 PM Andrew Morton <akpm@...ux-foundation.org>
> wrote:
> 
>     On Wed, 17 Jan 2024 14:37:29 -0800 Lokesh Gidra <lokeshgidra@...gle.com>
>     wrote:
> 
>     > In mfill_atomic_hugetlb(), mmap_changing isn't being checked
>     > again if we drop mmap_lock and reacquire it. When the lock is not held,
>     > mmap_changing could have been incremented. This is also inconsistent
>     > with the behavior in mfill_atomic().
> 
> 
> The change looks reasonable to me. I'm not sure I can conclusively say there
> isn't some other mechanism specific to hugetlbfs which means this isn't needed,
> though.
  
There's nothing specific to hugetlb, if a non-cooperative uffdio_copy races
with mremap/fork etc, the vma under it may change
 
>     Thanks. Could you and reviewers please consider
> 
>     - what might be the userspace-visible runtime effects?

For users of non-cooperative uffd with hugetlb, this would fix crashes
caused by races between uffd operations that update memory and the
operations that change the VM layout. Pretty much the same fix as
df2cc96e77011 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic
races") for !hugetlb memory.

I doubt such users exist, though...
 
>     - Should the fix be backported into earlier kernels?
>     - A suitable Fixes: target?
> 
> Hmm, 60d4d2d2b40e4 added __mcopy_atomic_hugetlb without this. But, at that
> point in history, none of the other functions had mmap_changing either.
> 
> So, I think the right Fixes: target is df2cc96e77011 ("userfaultfd: prevent
> non-cooperative events vs mcopy_atomic races") ? It seems to have missed the
> hugetlb path. This was introduced in 4.18.
> 
> Based on that commit's message, essentially what can happen if the race
> "succeeds" is, memory can be accessed without userfaultfd being notified of
> this fact. Depending on what userfaultfd is being used for, from
> userspace's perspective this can appear like memory corruption for example. So,
> based on that it seems to me reasonable to backport this to stable kernels
> (4.19+).

I agree with Axel, 

Fixes: df2cc96e77011 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races")

seems appropriate.

-- 
Sincerely yours,
Mike.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ