lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ccf359b0-8baa-4209-b2c3-75e3813ca804@redhat.com>
Date: Fri, 30 May 2025 10:33:16 +0200
From: David Hildenbrand <david@...hat.com>
To: Pu Lehui <pulehui@...weicloud.com>, Oleg Nesterov <oleg@...hat.com>
Cc: lorenzo.stoakes@...cle.com, mhiramat@...nel.org, peterz@...radead.org,
 Liam.Howlett@...cle.com, akpm@...ux-foundation.org, vbabka@...e.cz,
 jannh@...gle.com, pfalcato@...e.de, linux-mm@...ck.org,
 linux-kernel@...r.kernel.org, pulehui@...wei.com
Subject: Re: [RFC PATCH] mm/mmap: Fix uprobe anon page be overwritten when
 expanding vma during mremap

On 29.05.25 18:07, Pu Lehui wrote:
> 
> On 2025/5/28 17:03, David Hildenbrand wrote:
>> On 27.05.25 15:38, Pu Lehui wrote:
>>> Hi David,
>>>
>>> On 2025/5/27 2:46, David Hildenbrand wrote:
>>>> On 26.05.25 17:48, Oleg Nesterov wrote:
>>>>> Hi Lehui,
>>>>>
>>>>> As I said, I don't understand mm/, so can't comment, but...
>>>>>
>>>>> On 05/26, Pu Lehui wrote:
>>>>>>
>>>>>> To make things simpler, perhaps we could try post-processing, that is:
>>>>>>
>>>>>> diff --git a/mm/mremap.c b/mm/mremap.c
>>>>>> index 83e359754961..46a757fd26dc 100644
>>>>>> --- a/mm/mremap.c
>>>>>> +++ b/mm/mremap.c
>>>>>> @@ -240,6 +240,11 @@ static int move_ptes(struct
>>>>>> pagetable_move_control
>>>>>> *pmc,
>>>>>>                    if (pte_none(ptep_get(old_pte)))
>>>>>>                            continue;
>>>>>>
>>>>>> +               /* skip move pte when expanded range has uprobe */
>>>>>> +               if (unlikely(pte_present(*new_pte) &&
>>>>>> +                            vma_has_uprobes(pmc->new, new_addr,
>>>>>> new_addr +
>>>>>> PAGE_SIZE)))
>>>>>> +                       continue;
>>>>>> +
>>>>>
>>>>> I was thinking about
>>>>>
>>>>>       WARN_ON(!pte_none(*new_pte))
>>>>>
>>>>> at the start of the main loop.
>>>>>
>>>>> Obviously not to fix the problem, but rather to make it more explicit.
>>>>
>>>> Yeah, WARN_ON_ONCE().
>>>>
>>>> We really should fix the code to not install uprobes into the area we
>>>> are moving.
>>> Alright, so let's try this direction.
>>>
>>>>
>>>> Likely, the correct fix will be to pass the range as well to
>>>> uprobe_mmap(), and passing that range to build_probe_list().
>>>
>>> It will be great. But IIUC, the range we expand to is already included
>>> when entering uprobe_mmap and also build_probe_list.
>>
>> Right, you'd have to communicate that information through all layers
>> (expanded range).
>>
>> As an alternative, maybe we can really call handle_vma_uprobe() after
>> moving the pages.
> 
> Hi David,
> 
> Not sure if this is possible, but I think it would be appropriate to not
> handle this uprobe_mmap at the source, and maybe we should make it clear
> that new_pte must be NULL when move_ptes, otherwise it should be an
> exception?

Yeah, we should ay least document that if we find any non-none pte in 
the range we are moving to, we have a big problem.

I think the main issue is that vma_complete() calls uprobe_mmap() before 
moving the page tables over.

If we could defer the uprobe_mmap() call, we might be good.

The entry point is copy_vma_and_data(), where we call copy_vma() before 
move_page_tables().

copy_vma() should trigger the uprobe_mmap() through vma_merge_new_range().

I wonder if there might be a clean way to move the uprobe_mmap() out of 
vma_complete(). (or at least specify to skip it because it will be done 
manually).

-- 
Cheers,

David / dhildenb


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ