lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Mar 2024 22:08:11 +0100
From: David Hildenbrand <david@...hat.com>
To: Miklos Szeredi <miklos@...redi.hu>
Cc: xingwei lee <xrivendell7@...il.com>, linux-fsdevel@...r.kernel.org,
 linux-kernel@...r.kernel.org, samsun1006219@...il.com,
 syzkaller-bugs@...glegroups.com, linux-mm <linux-mm@...ck.org>,
 Mike Rapoport <rppt@...nel.org>
Subject: Re: BUG: unable to handle kernel paging request in fuse_copy_do

On 22.03.24 20:46, Miklos Szeredi wrote:
> On Fri, 22 Mar 2024 at 16:41, David Hildenbrand <david@...hat.com> wrote:
> 
>> But at least the vmsplice() just seems to work. Which is weird, because
>> GUP-fast should not apply (page not faulted in?)
> 
> But it is faulted in, and that indeed seems to be the root cause.

secretmem mmap() won't populate the page tables. So it's not faulted in yet.

When we GUP via vmsplice, GUP-fast should not find it in the page tables 
and fallback to slow GUP.

There, we seem to pass check_vma_flags(), trigger faultin_page() to 
fault it in, and then find it via follow_page_mask().

.. and I wonder how we manage to skip check_vma_flags(), or otherwise 
managed to GUP it.

vmsplice() should, in theory, never succeed here.

Weird :/

> Improved repro:
> 
> #define _GNU_SOURCE
> 
> #include <fcntl.h>
> #include <unistd.h>
> #include <stdio.h>
> #include <errno.h>
> #include <sys/mman.h>
> #include <sys/syscall.h>
> 
> int main(void)
> {
>          int fd1, fd2;
>          int pip[2];
>          struct iovec iov;
>          char *addr;
>          int ret;
> 
>          fd1 = syscall(__NR_memfd_secret, 0);
>          addr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, fd1, 0);
>          ftruncate(fd1, 7);
>          addr[0] = 1; /* fault in page */
>          pipe(pip);
>          iov.iov_base = addr;
>          iov.iov_len = 0x50;
>          ret = vmsplice(pip[1], &iov, 1, 0);
>          if (ret == -1 && errno == EFAULT) {
>                  printf("Success\n");
>                  return 0;
>          }
> 
>          fd2 = open("/tmp/repro-secretmem.test", O_RDWR | O_CREAT, 0x600);
>          splice(pip[0], NULL, fd2, NULL, 0x50, 0);
> 
>          return 0;
> }
> 

-- 
Cheers,

David / dhildenb


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ