| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <05d38430-3512-49b0-90da-1ae7a617a377@lucifer.local>
Date: Wed, 18 Jun 2025 11:33:16 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Barry Song <21cnbao@...il.com>
Cc: akpm@...ux-foundation.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, Barry Song <v-songbaohua@...o.com>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
David Hildenbrand <david@...hat.com>, Vlastimil Babka <vbabka@...e.cz>,
Jann Horn <jannh@...gle.com>, Suren Baghdasaryan <surenb@...gle.com>,
Lokesh Gidra <lokeshgidra@...gle.com>,
Tangquan Zheng <zhengtangquan@...o.com>,
Qi Zheng <zhengqi.arch@...edance.com>,
Lance Yang <ioworker0@...il.com>
Subject: Re: [PATCH v4] mm: use per_vma lock for MADV_DONTNEED
On Wed, Jun 18, 2025 at 06:11:26PM +0800, Barry Song wrote:
[sip]
> > ----8<----
> > From 1ffcaea75ebdaffe15805386f6d7733883d265a5 Mon Sep 17 00:00:00 2001
> > From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
> > Date: Tue, 17 Jun 2025 14:35:13 +0100
> > Subject: [PATCH] mm/madvise: avoid any chance of uninitialised pointer deref
> >
> > If we were to extend madvise() to support more operations under VMA lock,
> > we could potentially dereference prev to uninitialised state in
> > madvise_update_vma().
> >
> > Avoid this by explicitly setting prev to vma before invoking the visit()
> > function.
> >
> > This has no impact on behaviour, as all visitors compatible with a VMA lock
> > do not require prev to be set to the previous VMA and at any rate we only
> > examine a single VMA in VMA lock mode.
> >
> > Reported-by: Lance Yang <ioworker0@...il.com>
> > Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
> > ---
> > mm/madvise.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/mm/madvise.c b/mm/madvise.c
> > index efe5d64e1175..0970623a0e98 100644
> > --- a/mm/madvise.c
> > +++ b/mm/madvise.c
> > @@ -1333,6 +1333,8 @@ static int madvise_vma_behavior(struct vm_area_struct *vma,
> > return madvise_guard_remove(vma, prev, start, end);
> > }
> >
> > + /* We cannot provide prev in this lock mode. */
> > + VM_WARN_ON_ONCE(arg->lock_mode == MADVISE_VMA_READ_LOCK);
>
> Thanks, Lorenzo.
> Do we even reach this point for MADVISE_MMAP_READ_LOCK cases?
> madvise_update_vma() attempts to merge or split VMAs—wouldn't that be
> a scenario that requires a write lock?
Well we're relying on happening to reach here with the correct lock afaict.
I'm going to be doing some follow-up series to clean all this up!
I'd rather keep this in here for now just to ensure we don't miss some stupidity
here.
Thanks!
>
> The prerequisite for using a VMA read lock is that the operation must
> be safe under an mmap read lock as well.
>
> > anon_name = anon_vma_name(vma);
> > anon_vma_name_get(anon_name);
> > error = madvise_update_vma(vma, prev, start, end, new_flags,
> > @@ -1549,6 +1551,7 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start,
> > if (madv_behavior && madv_behavior->lock_mode == MADVISE_VMA_READ_LOCK) {
> > vma = try_vma_read_lock(mm, madv_behavior, start, end);
> > if (vma) {
> > + prev = vma;
> > error = visit(vma, &prev, start, end, arg);
> > vma_end_read(vma);
> > return error;
> > --
> > 2.49.0
>
> Thanks
> Barry
Powered by blists - more mailing lists