| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c44d373d-d72b-4e62-a613-a746a2c290e7@lucifer.local>
Date: Mon, 23 Sep 2024 20:34:35 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Shakeel Butt <shakeel.butt@...ux.dev>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Vlastimil Babka <vbabka@...e.cz>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>,
Suren Baghdasaryan <surenb@...gle.com>, Arnd Bergmann <arnd@...db.de>,
linux-api@...r.kernel.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, Minchan Kim <minchan@...nel.org>
Subject: Re: [PATCH 1/2] mm/madvise: introduce PR_MADV_SELF flag to
process_madvise()
On Mon, Sep 23, 2024 at 11:56:06AM GMT, Shakeel Butt wrote:
> On Mon, Sep 23, 2024 at 05:03:56PM GMT, Lorenzo Stoakes wrote:
> [...]
> > SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
> > size_t, vlen, int, behavior, unsigned int, flags)
> > {
> > @@ -1486,10 +1509,9 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
> > struct iov_iter iter;
> > struct task_struct *task;
> > struct mm_struct *mm;
> > - size_t total_len;
> > unsigned int f_flags;
> >
> > - if (flags != 0) {
> > + if (flags & ~PR_MADV_SELF) {
> > ret = -EINVAL;
> > goto out;
> > }
> > @@ -1498,13 +1520,26 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
> > if (ret < 0)
> > goto out;
> >
> > + /*
> > + * Perform an madvise operation on the current process. No restrictions
> > + * need be applied, nor do we need to pin the task or mm_struct.
> > + */
> > + if (flags & PR_MADV_SELF) {
> > + ret = vector_madvise(current->mm, &iter, behavior);
> > + goto free_iov;
> > + }
> > +
> > task = pidfd_get_task(pidfd, &f_flags);
> > if (IS_ERR(task)) {
> > ret = PTR_ERR(task);
> > goto free_iov;
> > }
> >
> > - if (!process_madvise_behavior_valid(behavior)) {
> > + /*
> > + * We need only perform this check if we are attempting to manipulate a
> > + * remote process's address space.
> > + */
> > + if (mm != current->mm && !process_madvise_remote_valid(behavior)) {
>
> Move the above check after mm is initialized i.e. mm = mm_access().
>
> Shakeel
Ugh, sorry silly one there! Reflexively put that check in the original position.
Enclose a quick fix-patch for it, will fix on any respin also.
----8<----
>From dc09e0edf1cf71a89cc4cfc3ec73fdae3c2ab86c Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Date: Mon, 23 Sep 2024 20:33:07 +0100
Subject: [PATCH] mm/madvise: retrieve mm before checking
---
mm/madvise.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/mm/madvise.c b/mm/madvise.c
index 549b36d1463c..49d12f98b677 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1535,20 +1535,20 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
goto free_iov;
}
+ /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */
+ mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
+ if (IS_ERR_OR_NULL(mm)) {
+ ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
+ goto release_task;
+ }
+
/*
* We need only perform this check if we are attempting to manipulate a
* remote process's address space.
*/
if (mm != current->mm && !process_madvise_remote_valid(behavior)) {
ret = -EINVAL;
- goto release_task;
- }
-
- /* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */
- mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
- if (IS_ERR_OR_NULL(mm)) {
- ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
- goto release_task;
+ goto release_mm;
}
/*
--
2.46.0
Powered by blists - more mailing lists