From: Liam Howlett <liam.howlett@oracle.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Jann Horn <jannh@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Yu Zhao <yuzhao@google.com>, Jason Donenfeld <Jason@zx2c4.com>,
Matthew Wilcox <willy@infradead.org>,
SeongJae Park <sj@kernel.org>
Subject: Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
Date: Tue, 6 Dec 2022 17:12:55 +0000 [thread overview]
Message-ID: <20221206171248.e2fnxrdhh2cuqq3n@revolver> (raw)
In-Reply-To: <6eb002c8-0e31-7c9f-bb3d-81c4430b296c@suse.cz>
* Vlastimil Babka <vbabka@suse.cz> [221205 17:26]:
> On 12/5/22 23:13, Vlastimil Babka wrote:
> > On 12/5/22 22:55, Jann Horn wrote:
> >> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:
> >>> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> >>> > Ensure the VMA matches basic merge requirements within the function
> >>> > before calling can_vma_merge_after().
> >>>
> >>> I't unclear what's actually being fixed here.
> >>>
> >>> Why do you feel we need the above changes?
> >>>
> >>> > Drop the duplicate checks from vm_brk_flags() since they will be
> >>> > enforced later.
> >>> >
> >>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
> >>>
> >>> Fixes in what way? Removing the duplicate checks?
> >>
> >> The old code would expand file VMAs on brk(), which is functionally
> >> wrong and also dangerous in terms of locking because the brk() path
> >> isn't designed for file VMAs and therefore doesn't lock the file
> >> mapping. Checking can_vma_merge_after() ensures that new anonymous
> >> VMAs can't be merged into file VMAs.
> >>
> >> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
>
> And yeah, that URL should have been a Link: in the patch. And the scenario
> it's fixing described in a bit more detail?
Yes, sorry. I should have made a better effort in describing what I was
fixing. It seems I understated what was happening.
>
> > I guess the point is that if we fix it still within 6.1, we don't have to
> > devise how exactly this is exploitable, but due to the insufficient locking
> > it most likely is, right?
>
prev parent reply other threads:[~2022-12-06 17:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-05 19:23 Liam Howlett
2022-12-05 20:32 ` Andrew Morton
2022-12-05 21:55 ` Jann Horn
2022-12-05 22:13 ` Vlastimil Babka
2022-12-05 22:22 ` Jann Horn
2022-12-05 22:26 ` Vlastimil Babka
2022-12-06 17:12 ` Liam Howlett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221206171248.e2fnxrdhh2cuqq3n@revolver \
--to=liam.howlett@oracle.com \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=sj@kernel.org \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox