From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F2B8C433E2 for ; Thu, 3 Sep 2020 17:31:14 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 1C37F206C0 for ; Thu, 3 Sep 2020 17:31:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="H7JyE6V1" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1C37F206C0 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 991FB6B005A; Thu, 3 Sep 2020 13:31:13 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 91A4A6B005C; Thu, 3 Sep 2020 13:31:13 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7BAB36B005D; Thu, 3 Sep 2020 13:31:13 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0088.hostedemail.com [216.40.44.88]) by kanga.kvack.org (Postfix) with ESMTP id 62A226B005A for ; Thu, 3 Sep 2020 13:31:13 -0400 (EDT) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 1F282180AD817 for ; Thu, 3 Sep 2020 17:31:13 +0000 (UTC) X-FDA: 77222441226.09.note30_2115bd5270ab Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin09.hostedemail.com (Postfix) with ESMTP id DC883180AD811 for ; Thu, 3 Sep 2020 17:31:12 +0000 (UTC) X-HE-Tag: note30_2115bd5270ab X-Filterd-Recvd-Size: 7567 Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com [209.85.215.193]) by imf35.hostedemail.com (Postfix) with ESMTP for ; Thu, 3 Sep 2020 17:31:12 +0000 (UTC) Received: by mail-pg1-f193.google.com with SMTP id d19so2671203pgl.10 for ; Thu, 03 Sep 2020 10:31:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=blKFg/vbPDXdthokcmyOTP1qDUripEE6+zpIq6AvDlc=; b=H7JyE6V1DCBRpX+JoQL/LyLLpr1At2nEf0iyQHnVhYJFiuK1/kS8VK+tAU6582N2jD 157FlISZGcpIlK1DaUiqRZ7rqHvU9bNrdrvw8JXbuiO+5L5tfxXmZlS9oGd5t5YQYigX bcLOY37DekZlrOiovdCbV1KyLQmHAs29a6w48= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=blKFg/vbPDXdthokcmyOTP1qDUripEE6+zpIq6AvDlc=; b=WOfT7VP6QvEF0Ji9fXcpjDtdEpmO6K/BBGIjBnfqPt7g46gd2xjQSpl3cPX1SJdvv9 3ykqMlz7XsgVbsx4H/ZDkcD9LHLSWv/aJIFIcp5iravlPD3nhYBiWCwmpUw/5D0K4CTJ jxrO9Sa/wqVtCuECFH6zbOtHtvbUoEihsfjvacIKfxwAtZT++PD6oynr4CWRikOKMMX9 o8oOKa4Wv43hn5yffl0WGPe/QkQF1tbuPQNHh/gOX/oezy5opidGrkSQ+yccIMzzqF0R fzH/Wl7AFbOTBPv2kcyfupdcbd3YsEe0jYfJzcQUhDP6e+i+IRJ0SJih7Bobb2jVp+Rh th/Q== X-Gm-Message-State: AOAM533Q7fCZNI9CiQnQGvagNCrpsviBbs+HgvlcszlYjmJN6q4C9ZBn YwwRJGvlrwyrnJznCvfBjJhZ+g== X-Google-Smtp-Source: ABdhPJwp6xNfXwGV1gZFLF/iNMUJeIMWZOz7CF3V46h4JnZU9GCWVJEWnDGqSw7HJbfq53A7XNfUrg== X-Received: by 2002:a62:8443:: with SMTP id k64mr4606314pfd.252.1599154271177; Thu, 03 Sep 2020 10:31:11 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id l5sm3370514pga.43.2020.09.03.10.31.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Sep 2020 10:31:09 -0700 (PDT) Date: Thu, 3 Sep 2020 10:31:08 -0700 From: Kees Cook To: Colin Cross Cc: "Kirill A. Shutemov" , Matthew Wilcox , "Kirill A. Shutemov" , Sumit Semwal , Andrew Morton , Linux-MM , lkml , Alexey Dobriyan , Jonathan Corbet , Mauro Carvalho Chehab , Michal Hocko , Alexey Gladkov , Jason Gunthorpe , Michel Lespinasse , Michal =?iso-8859-1?Q?Koutn=FD?= , Song Liu , Huang Ying , Vlastimil Babka , Yang Shi , chenqiwu , Mathieu Desnoyers , John Hubbard , Mike Christie , Bart Van Assche , Amit Pundir , Thomas Gleixner , Christian Brauner , Daniel Jordan , Adrian Reber , Nicolas Viennot , Al Viro , linux-fsdevel@vger.kernel.org, John Stultz , Pekka Enberg , Dave Hansen , Peter Zijlstra , Ingo Molnar , Oleg Nesterov , "Eric W. Biederman" , Jan Glauber , Rob Landley , Cyrill Gorcunov , "Serge E. Hallyn" , David Rientjes , Hugh Dickins , Rik van Riel , Mel Gorman , Tang Chen , Robin Holt , Shaohua Li , Sasha Levin , Johannes Weiner , Minchan Kim Subject: Re: [PATCH v7 3/3] mm: add a field to store names for private anonymous memory Message-ID: <202009031022.3834F692@keescook> References: <20200901161459.11772-1-sumit.semwal@linaro.org> <20200901161459.11772-4-sumit.semwal@linaro.org> <20200903132537.mp5e6o6ptgbkghxe@box> <20200903134340.GA14765@casper.infradead.org> <20200903135806.ceoivs5pzlchg6uj@black.fi.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: DC883180AD811 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam01 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Sep 03, 2020 at 08:59:38AM -0700, Colin Cross wrote: > On Thu, Sep 3, 2020 at 6:58 AM Kirill A. Shutemov > wrote: > > > > On Thu, Sep 03, 2020 at 02:43:40PM +0100, Matthew Wilcox wrote: > > > On Thu, Sep 03, 2020 at 04:25:37PM +0300, Kirill A. Shutemov wrote: > > > > IIUC, it gives userspace direct control of content of /proc/$PID/maps and > > > > /proc/$PID/smaps. There's no verification of the given string whatsoever. > > > > I'm sure security experts would find clever usage of the feature :P > > > > > > What, you think that naming a VMA > > > "\n55bc3e0f9000-55bc3e0fb000 r--p 00000000 fd:01 16777285 /bin/cat" might cause problems? > > The data is wrapped inside "[anon: ]", which limits the ability to > masquerade as a real file. That's true, but it's insufficient to avoid spoofing parsers (e.g. if I set my name to "hiding]\nfake-maps-line-here [anon: evil" > > Something that would cause buffer overrun or out-of-bound access in a > > privilaged parser can be even more interesting. :) > > This is the same as /proc/pid/cmdline, which has no sanitization. > It's also limited to 255 bytes, which should hopefully limit the > opportunity for a buffer overrun. /proc/$pid/cmdline contains a "single item", in the sense that the entire field is contained. Confusing parsers is certainly still possible, but the bounds for it are distinct in that there is nothing else in that file. The better analogy is with /proc/$pid/status, which is multi-line like maps, and *does* perform escaping, e.g.: $ cat sneaky.c #include #include int main(int argc, char *argv[]) { char * const args[] = { "four\nfive\nsix", NULL, }; return execv("./one\ntwo\nthree", args); } $ head -n1 /proc/$pid/status Name: one\ntwo\nthree $ cat /proc/$pid/cmdline four five six > > > Would it be enough to restrict the characters to isalnum()? > > > > I guess. > > > > But current design stores userspace pointer and there's time-of-check vs. > > time-of-use problem. > > It copies from userspace into a kernel buffer at read time, any > desired sanitization could easily be added there. I would prefer having strict validation of the input over escaping the output, so to that end how about making close to "variable name" sane: [-\.a-zA-Z0-9_ ] ? if it should be wider than that, how about printable minus \n \r \f \v [ ] ? -- Kees Cook