| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <049f0da40ed76d94c419f83dd42deb413d6afb44.1737000287.git.tavianator@tavianator.com>
Date: Wed, 15 Jan 2025 23:05:38 -0500
From: Tavian Barnes <tavianator@...ianator.com>
To: linux-fsdevel@...r.kernel.org
Cc: Tavian Barnes <tavianator@...ianator.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>,
Jan Kara <jack@...e.cz>,
linux-kernel@...r.kernel.org
Subject: [PATCH] coredump: allow interrupting dumps of large anonymous regions
dump_user_range() supports sparse core dumps by skipping anonymous pages
which have not been modified. If get_dump_page() returns NULL, the page
is skipped rather than written to the core dump with dump_emit_page().
Sadly, dump_emit_page() contains the only check for dump_interrupted(),
so when dumping a very large sparse region, the core dump becomes
effectively uninterruptible. This can be observed with the following
test program:
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
int main(void) {
char *mem = mmap(NULL, 1ULL << 40, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_NORESERVE | MAP_PRIVATE, -1, 0);
printf("%p %m\n", mem);
if (mem != MAP_FAILED) {
mem[0] = 1;
}
abort();
}
The program allocates 1 TiB of anonymous memory, touches one page of it,
and aborts. During the core dump, SIGKILL has no effect. It takes
about 30 seconds to finish the dump, burning 100% CPU.
This issue naturally arises with things like Address Sanitizer, which
allocate a large sparse region of virtual address space for their shadow
memory.
Fix it by checking dump_interrupted() explicitly in dump_user_pages().
Signed-off-by: Tavian Barnes <tavianator@...ianator.com>
---
fs/coredump.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/coredump.c b/fs/coredump.c
index d48edb37bc35..fd29d3f15f1e 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -950,6 +950,10 @@ int dump_user_range(struct coredump_params *cprm, unsigned long start,
}
} else {
dump_skip(cprm, PAGE_SIZE);
+ if (dump_interrupted()) {
+ dump_page_free(dump_page);
+ return 0;
+ }
}
cond_resched();
}
--
2.48.1
Powered by blists - more mailing lists