| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <abdb5298-31c7-4b0d-b31b-4913080b701c@lucifer.local>
Date: Tue, 14 Jan 2025 18:26:06 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Matthew Wilcox <willy@...radead.org>
Cc: Yang Shi <yang@...amperecomputing.com>, arnd@...db.de,
gregkh@...uxfoundation.org, Liam.Howlett@...cle.com, vbabka@...e.cz,
jannh@...gle.com, liushixin2@...wei.com, akpm@...ux-foundation.org,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] /dev/zero: make private mapping full anonymous mapping
On Tue, Jan 14, 2025 at 06:22:14PM +0000, Matthew Wilcox wrote:
> On Tue, Jan 14, 2025 at 06:19:32PM +0000, Lorenzo Stoakes wrote:
> > I see shmem_zero_page() does change vma->vm_page, this is broken... ugh. I
>
> I think you mean shmem_zero_setup() and vma->vm_file, right?
Yes, correct. Sorry it's late here and it's showing haha!
The reason I am concerned about this is because we thread mmap state
through the operation which has a separate file pointer which this makes
into a potential UAF.
Will audit all this and for any other problematic .mmap() callback
behaviour.
My view is ideally this should be a callback with a const pointer to the
VMA (or some other mechanism, perhaps) which accepts a change in
_permitted_ fields only.
The 'anything could happen and anybody could manipulate any field of the
VMA' in this callback is highly problematic.
But we definitely shouldn't be adding a _new_ case here.
Powered by blists - more mailing lists