| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14c6f0f3-0747-4800-8718-4f109f7321ea@lucifer.local>
Date: Sun, 23 Apr 2023 23:56:48 +0100
From: Lorenzo Stoakes <lstoakes@...il.com>
To: Dave Chinner <david@...morbit.com>
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>,
Jason Gunthorpe <jgg@...pe.ca>, Jens Axboe <axboe@...nel.dk>,
Matthew Wilcox <willy@...radead.org>,
Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>,
Leon Romanovsky <leon@...nel.org>,
Christian Benvenuti <benve@...co.com>,
Nelson Escobar <neescoba@...co.com>,
Bernard Metzler <bmt@...ich.ibm.com>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>,
Namhyung Kim <namhyung@...nel.org>,
Ian Rogers <irogers@...gle.com>,
Adrian Hunter <adrian.hunter@...el.com>,
Bjorn Topel <bjorn@...nel.org>,
Magnus Karlsson <magnus.karlsson@...el.com>,
Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
Jonathan Lemon <jonathan.lemon@...il.com>,
"David S . Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Christian Brauner <brauner@...nel.org>,
Richard Cochran <richardcochran@...il.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>,
linux-fsdevel@...r.kernel.org, linux-perf-users@...r.kernel.org,
netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH] mm/gup: disallow GUP writing to file-backed mappings by
default
On Mon, Apr 24, 2023 at 08:29:41AM +1000, Dave Chinner wrote:
> On Sat, Apr 22, 2023 at 02:37:05PM +0100, Lorenzo Stoakes wrote:
> > +/*
> > + * Writing to file-backed mappings using GUP is a fundamentally broken operation
> > + * as kernel write access to GUP mappings may not adhere to the semantics
> > + * expected by a file system.
> > + *
> > + * In most instances we disallow this broken behaviour, however there are some
> > + * exceptions to this enforced here.
> > + */
> > +static inline bool can_write_file_mapping(struct vm_area_struct *vma,
> > + unsigned long gup_flags)
> > +{
> > + struct file *file = vma->vm_file;
> > +
> > + /* If we aren't pinning then no problematic write can occur. */
> > + if (!(gup_flags & (FOLL_GET | FOLL_PIN)))
> > + return true;
> > +
> > + /* Special mappings should pose no problem. */
> > + if (!file)
> > + return true;
>
> Ok...
>
> > +
> > + /* Has the caller explicitly indicated this case is acceptable? */
> > + if (gup_flags & FOLL_ALLOW_BROKEN_FILE_MAPPING)
> > + return true;
> > +
> > + /* shmem and hugetlb mappings do not have problematic semantics. */
> > + return vma_is_shmem(vma) || is_file_hugepages(file);
> > +}
>
> This looks backwards. We only want the override to occur when the
> target won't otherwise allow it. i.e. This should be:
>
> if (vma_is_shmem(vma))
> return true;
> if (is_file_hugepages(vma)
> return true;
>
> /*
> * Issue a warning only if we are allowing a write to a mapping
> * that does not support what we are attempting to do functionality.
> */
> if (WARN_ON_ONCE(gup_flags & FOLL_ALLOW_BROKEN_FILE_MAPPING))
> return true;
> return false;
>
> i.e. we only want the warning to fire when the override is
> triggered - indicating that the caller is actually using a file
> mapping in a broken way, not when it is being used on
> file/filesystem that actually supports file mappings in this way.
>
> > static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
> > {
> > vm_flags_t vm_flags = vma->vm_flags;
> > int write = (gup_flags & FOLL_WRITE);
> > int foreign = (gup_flags & FOLL_REMOTE);
> > + bool vma_anon = vma_is_anonymous(vma);
> >
> > if (vm_flags & (VM_IO | VM_PFNMAP))
> > return -EFAULT;
> >
> > - if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
> > + if ((gup_flags & FOLL_ANON) && !vma_anon)
> > return -EFAULT;
> >
> > if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma))
> > @@ -978,6 +1008,10 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
> > return -EFAULT;
> >
> > if (write) {
> > + if (!vma_anon &&
> > + WARN_ON_ONCE(!can_write_file_mapping(vma, gup_flags)))
> > + return -EFAULT;
>
> Yeah, the warning definitely belongs in the check function when the
> override triggers allow broken behaviour to proceed, not when we
> disallow a write fault because the underlying file/filesystem does
> not support the operation being attempted.
I disagree for two reasons:-
1. There are places in the kernel that rely on this broken behaviour, most
notably ptrace (and /proc/$pid/mem), but also the other places where you
can see I've added this flag. I'm not sure spamming warnings for
ordinary cases would be useful.
2. The purpose of putting a warning here is to catch any case I might have
missed where broken behaviour is required, but now disallowed, because it
might actually be hard for a GUP user to track down that this is why the
GUP is no longer functioning (since all they'll see is an -EFAULT).
This warned upon check should in reality not occur, because it implies the
GUP user is trying to do something broken and is _not_ explicitly telling
GUP that it knows it's doing it and can live with the consequences. And on
that basis, is worthy of a warning so we know we have to go put this flag
in that place (and know it is a source of problematic GUP usage), or fix
the caller.
An example case is placing breakpoints in gdb, without the flag being set
for /proc/$pid/mem this will just fail. Raising a kernel warning when a
user places a breakpoint seems... unhelpful :)
>
> -Dave.
> --
> Dave Chinner
> david@...morbit.com
Powered by blists - more mailing lists