| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzaozamTRoK8YromvPZ3b1wNBvxwWrbpfpX4ZFwkMDbMGg@mail.gmail.com> Date: Mon, 5 Jan 2026 14:52:56 -0800 From: Andrii Nakryiko <andrii.nakryiko@...il.com> To: "David Hildenbrand (Red Hat)" <david@...nel.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, Jinchao Wang <wangjinchao600@...il.com>, Song Liu <song@...nel.org>, Jiri Olsa <jolsa@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, linux-kernel@...r.kernel.org, bpf@...r.kernel.org, syzbot+e008db2ac01e282550ee@...kaller.appspotmail.com, Axel Rasmussen <axelrasmussen@...gle.com>, Johannes Weiner <hannes@...xchg.org>, Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, Michal Hocko <mhocko@...nel.org>, Qi Zheng <zhengqi.arch@...edance.com>, Shakeel Butt <shakeel.butt@...ux.dev>, Wei Xu <weixugc@...gle.com>, Yuanchu Xie <yuanchu@...gle.com>, Omar Sandoval <osandov@...com>, Deepanshu Kartikey <kartikey406@...il.com> Subject: Re: [PATCH] buildid: validate page-backed file before parsing build ID On Tue, Dec 30, 2025 at 2:11 PM David Hildenbrand (Red Hat) <david@...nel.org> wrote: > > On 12/23/25 18:29, Andrew Morton wrote: > > On Tue, 23 Dec 2025 18:32:07 +0800 Jinchao Wang <wangjinchao600@...il.com> wrote: > > > >> __build_id_parse() only works on page-backed storage. Its helper paths > >> eventually call mapping->a_ops->read_folio(), so explicitly reject VMAs > >> that do not map a regular file or lack valid address_space operations. > >> > >> Reported-by: syzbot+e008db2ac01e282550ee@...kaller.appspotmail.com > >> Signed-off-by: Jinchao Wang <wangjinchao600@...il.com> > >> > >> ... > >> > >> --- a/lib/buildid.c > >> +++ b/lib/buildid.c > >> @@ -280,7 +280,10 @@ static int __build_id_parse(struct vm_area_struct *vma, unsigned char *build_id, > >> int ret; > >> > >> /* only works for page backed storage */ > >> - if (!vma->vm_file) > >> + if (!vma->vm_file || > >> + !S_ISREG(file_inode(vma->vm_file)->i_mode) || > >> + !vma->vm_file->f_mapping->a_ops || > >> + !vma->vm_file->f_mapping->a_ops->read_folio) > >> return -EINVAL; > > Just wondering, we are fine with MAP_PRIVATE files, right? I guess it's > not about the actual content in the VMA (which might be different for a > MAP_PRIVATE VMA), but only about the content of the mapped file. Yep, this code is fetching contents of a file that backs given VMA. > > > LGTM, although I wonder whether some of these these checks should be > exposed as part of the read_cache_folio()/do_read_cache_folio() API. > > Like, having a helper function that tells us whether we can use > do_read_cache_folio() against a given mapping+file. I agree, this seems to be leaking a lot of internal mm details into higher-level caller (__build_id_parse). Right now we try to fetch folio with filemap_get_folio() and if that succeeds, then we do read_cache_folio. Would it be possible for filemap_get_folio() to return error if the folio cannot be read using read_cache_folio()? Or maybe have a variant of filemap_get_folio() that would have this semantic? > > -- > Cheers > > David
Powered by blists - more mailing lists