| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2c7a5fcb-198a-42b3-98ec-ab4e81259b52@lucifer.local>
Date: Wed, 21 Aug 2024 07:53:43 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Pedro Falcato <pedro.falcato@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
Vlastimil Babka <vbabka@...e.cz>, Shuah Khan <shuah@...nel.org>,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, jeffxu@...omium.org,
oliver.sang@...el.com, torvalds@...ux-foundation.org,
Michael Ellerman <mpe@...erman.id.au>, Kees Cook <kees@...nel.org>
Subject: Re: [PATCH v3 4/7] mm/mremap: Replace can_modify_mm with
can_modify_vma
On Sat, Aug 17, 2024 at 01:18:31AM GMT, Pedro Falcato wrote:
> Delegate all can_modify checks to the proper places. Unmap checks are
> done in do_unmap (et al). The source VMA check is done purposefully
> before unmapping, to keep the original mseal semantics.
>
> Signed-off-by: Pedro Falcato <pedro.falcato@...il.com>
> ---
> mm/mremap.c | 32 ++++++--------------------------
> 1 file changed, 6 insertions(+), 26 deletions(-)
>
> diff --git a/mm/mremap.c b/mm/mremap.c
> index e7ae140fc640..24712f8dbb6b 100644
> --- a/mm/mremap.c
> +++ b/mm/mremap.c
> @@ -902,19 +902,6 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
> if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
> return -ENOMEM;
>
> - /*
> - * In mremap_to().
> - * Move a VMA to another location, check if src addr is sealed.
> - *
> - * Place can_modify_mm here because mremap_to()
> - * does its own checking for address range, and we only
> - * check the sealing after passing those checks.
> - *
> - * can_modify_mm assumes we have acquired the lock on MM.
> - */
> - if (unlikely(!can_modify_mm(mm, addr, addr + old_len)))
> - return -EPERM;
> -
I'm honestly confused as to why the original implementation felt it
necessary to split the checks. I guess for the purposes of efficiency? But
doesn't seem efficient to me.
> if (flags & MREMAP_FIXED) {
> /*
> * In mremap_to().
> @@ -1052,6 +1039,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
> goto out;
> }
>
> + /* Don't allow remapping vmas when they have already been sealed */
> + if (!can_modify_vma(vma)) {
> + ret = -EPERM;
> + goto out;
> + }
> +
This is much better, and having it be a VMA check is so obviously correct
here. Again confused as to why this implemented at an mm granularity
anyway...
> if (is_vm_hugetlb_page(vma)) {
> struct hstate *h __maybe_unused = hstate_vma(vma);
>
> @@ -1079,19 +1072,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
> goto out;
> }
>
> - /*
> - * Below is shrink/expand case (not mremap_to())
> - * Check if src address is sealed, if so, reject.
> - * In other words, prevent shrinking or expanding a sealed VMA.
> - *
> - * Place can_modify_mm here so we can keep the logic related to
> - * shrink/expand together.
> - */
> - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) {
> - ret = -EPERM;
> - goto out;
> - }
> -
> /*
> * Always allow a shrinking remap: that just unmaps
> * the unnecessary pages..
>
> --
> 2.46.0
>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Powered by blists - more mailing lists