| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aa839e3a-11f3-49e1-8c3b-a60106c8d165@redhat.com>
Date: Fri, 25 Jul 2025 11:46:13 +0200
From: David Hildenbrand <david@...hat.com>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>,
Vlastimil Babka <vbabka@...e.cz>, Jann Horn <jannh@...gle.com>,
Pedro Falcato <pfalcato@...e.de>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, Jeff Xu <jeffxu@...omium.org>
Subject: Re: [PATCH v3 2/5] mm/mseal: update madvise() logic
>>
>> Well, there is long-term pinning that can break COW and other weird stuff
>> like FOLL_FORCE. Most of the latter probably holds the mmap lock in write
>> mode. Probably.
>
> Well GUP uses read lock.
Right, so it can race with MADV_DONTNEED.
>
> FOLL_FORCE won't override anything as we have this check in check_vma_flags():
>
> if (write) {
> if (!vma_anon &&
> !writable_file_mapping_allowed(vma, gup_flags))
> return -EFAULT;
>
> if (!(vm_flags & VM_WRITE) || (vm_flags & VM_SHADOW_STACK)) {
> if (!(gup_flags & FOLL_FORCE))
> return -EFAULT;
> /*
> * We used to let the write,force case do COW in a
> * VM_MAYWRITE VM_SHARED !VM_WRITE vma, so ptrace could
> * set a breakpoint in a read-only mapping of an
> * executable, without corrupting the file (yet only
> * when that file had been opened for writing!).
> * Anon pages in shared mappings are surprising: now
> * just reject it.
> */
> if (!is_cow_mapping(vm_flags))
> return -EFAULT;
> }
> }
>
> With:
>
> static inline bool is_cow_mapping(vm_flags_t flags)
> {
> return (flags & (VM_SHARED | VM_MAYWRITE)) == VM_MAYWRITE;
> }
>
Not sure what you mean. Using FOLL_FORCE you can write into MAP_PRIVATE
R/O mappings. Particular useful for installing breakpoints into loaded
executables etc.
is_cow_mapping() tells you exactly that: the only place where we can
have anon folios is when we have a MAP_PRIVATE mapping (!VM_SHARED) that
can be writable, for example, through mprotect(PROT_WRITE) (VM_MAYWRITE).
A MAP_PRIVATE R/O file mapping matches is_cow_mapping().
> So - we explicitly disallow FOLL_FORCE write override for CoW file-backed
> mappings.
>
> Obviously if FOLL_FORCE is not set, then we're ALSO not allowed to get past a
> FOLL_WRITE and !VM_WRITE situation.
>
>>
>>>
>>> Hmm maybe I'll soften on this anon_vma idea then. Maybe it is a 'cheap fix' to
>>> rule out the _usual_ cases.
>>
>> Yeah, something to evaluate.
>
> I'm thinking more and more we're probably actually safe with !vma->anon_vma ||
> !(vma->vm_flags & VM_MAYWRITE).
I think there are possible races, the question is how much you care
about them.
In case of CoW-unsharing, you're not actually discarding data, because
the page in the anon folio is to maintain a copy of the pagecache page
(of course, they can go out of sync, but that's a different discussion).
--
Cheers,
David / dhildenb
Powered by blists - more mailing lists