From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Jann Horn <jannh@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Matthew Wilcox <willy@infradead.org>,
Vlastimil Babka <vbabka@suse.cz>,
Sidhartha Kumar <sidhartha.kumar@oracle.com>,
Bert Karwatzki <spasswolf@web.de>, Jiri Olsa <olsajiri@gmail.com>,
Kees Cook <kees@kernel.org>,
"Paul E . McKenney" <paulmck@kernel.org>,
Jeff Xu <jeffxu@chromium.org>,
Seth Jenkins <sethjenkins@google.com>
Subject: Re: [BUG] page table UAF, Re: [PATCH v8 14/21] mm/mmap: Avoid zeroing vma tree in mmap_region()
Date: Fri, 11 Oct 2024 10:26:24 -0400 [thread overview]
Message-ID: <2rdgyyn36yn7ey5oopynmkerpfx4ghdazhgwh7p53z7oaf646h@7hahj6yyowgv> (raw)
In-Reply-To: <CAG48ez0e4Zv3g2uHGzhrCmJcE2XE=160HxyNy4YAhEfQKKFNBw@mail.gmail.com>
* Jann Horn <jannh@google.com> [241008 13:16]:
...
> > > > >
> > > > > task 1 (mmap, MAP_FIXED) task 2 (ftruncate)
> > > > > ======================== ==================
> > > > > mmap_region
> > > > > vma_merge_new_range
> > > > > vma_expand
> > > > > commit_merge
> > > > > vma_prepare
> > > > > [take rmap locks]
> > > > > vma_set_range
> > > > > [expand adjacent mapping]
> > > > > vma_complete
> > > > > [drop rmap locks]
> > > > > vms_complete_munmap_vmas
> > > > > vms_clear_ptes
> > > > > unmap_vmas
> > > > > [removes ptes]
> > > > > free_pgtables
> > > > > [unlinks old vma from rmap]
> > > > > unmap_mapping_range
> > > > > unmap_mapping_pages
> > > > > i_mmap_lock_read
> > > > > unmap_mapping_range_tree
> > > > > [loop]
> > > > > unmap_mapping_range_vma
> > > > > zap_page_range_single
> > > > > unmap_single_vma
> > > > > unmap_page_range
> > > > > zap_p4d_range
> > > > > zap_pud_range
> > > > > zap_pmd_range
> > > > > [looks up pmd entry]
> > > > > free_pgd_range
> > > > > [frees pmd]
> > > > > [UAF pmd entry access]
> > > > >
> > > > > To reproduce this, apply the attached mmap-vs-truncate-racewiden.diff
> > > > > to widen the race windows, then build and run the attached reproducer
> > > > > mmap-fixed-race.c.
> > > > >
> > > > > Under a kernel with KASAN, you should ideally get a KASAN splat like this:
> > > >
...
>
> Or you could basically unmap the VMA while it is still in the VMA tree
> but is already locked and marked as detached? So first you do
> unmap_vmas() and free_pgtables() (which clears the PTEs, removes the
> rmap links, and deletes page tables), then prepare the new VMAs, and
> then replace the old VMA's entries in the VMA tree with the new
> entries? I guess in the end the result would semantically be pretty
> similar to having markers in the maple tree.
>
After trying a few other methods, I ended up doing something like you
said above. I already had to do this if call_mmap() was to be used, so
the code change isn't that large. Doing it unconditionally on MAP_FIXED
seems like the safest plan.
The other methods were unsuccessful due to the locking order that exists
in fsreclaim and other areas.
Basically, the vma tree will not see a gap, but the rmap will see a gap.
Unfortunately this expands the number of failures which cannot be undone
with my design but still less than existed before. Most errors will
generate the historic vma gap, sadly.
Thanks,
Liam
next prev parent reply other threads:[~2024-10-11 14:26 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-30 4:00 [PATCH v8 00/21] Avoid MAP_FIXED gap exposure Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 01/21] mm/vma: Correctly position vma_iterator in __split_vma() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 02/21] mm/vma: Introduce abort_munmap_vmas() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 03/21] mm/vma: Introduce vmi_complete_munmap_vmas() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 04/21] mm/vma: Extract the gathering of vmas from do_vmi_align_munmap() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 05/21] mm/vma: Introduce vma_munmap_struct for use in munmap operations Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 06/21] mm/vma: Change munmap to use vma_munmap_struct() for accounting and surrounding vmas Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 07/21] mm/vma: Extract validate_mm() from vma_complete() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 08/21] mm/vma: Inline munmap operation in mmap_region() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 09/21] mm/vma: Expand mmap_region() munmap call Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 10/21] mm/vma: Support vma == NULL in init_vma_munmap() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 11/21] mm/mmap: Reposition vma iterator in mmap_region() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 12/21] mm/vma: Track start and end for munmap in vma_munmap_struct Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 13/21] mm: Clean up unmap_region() argument list Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 14/21] mm/mmap: Avoid zeroing vma tree in mmap_region() Liam R. Howlett
2024-10-07 19:05 ` [BUG] page table UAF, " Jann Horn
2024-10-07 20:31 ` Liam R. Howlett
2024-10-07 21:31 ` Jann Horn
2024-10-08 1:50 ` Liam R. Howlett
2024-10-08 17:15 ` Jann Horn
2024-10-08 17:51 ` Suren Baghdasaryan
2024-10-08 18:06 ` Jann Horn
2024-10-11 14:26 ` Liam R. Howlett [this message]
2024-08-30 4:00 ` [PATCH v8 15/21] mm: Change failure of MAP_FIXED to restoring the gap on failure Liam R. Howlett
2024-09-03 3:07 ` Pengfei Xu
2024-09-03 11:00 ` Lorenzo Stoakes
2024-09-03 12:27 ` Lorenzo Stoakes
2024-09-03 16:03 ` Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 16/21] mm/mmap: Use PHYS_PFN in mmap_region() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 17/21] mm/mmap: Use vms accounted pages " Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 18/21] ipc/shm, mm: Drop do_vma_munmap() Liam R. Howlett
2024-08-30 4:00 ` [PATCH v8 19/21] mm: Move may_expand_vm() check in mmap_region() Liam R. Howlett
2024-08-30 4:01 ` [PATCH v8 20/21] mm/vma: Drop incorrect comment from vms_gather_munmap_vmas() Liam R. Howlett
2024-08-30 4:01 ` [PATCH v8 21/21] mm/vma.h: Optimise vma_munmap_struct Liam R. Howlett
2024-08-30 16:05 ` [PATCH v8 00/21] Avoid MAP_FIXED gap exposure Jeff Xu
2024-08-30 17:07 ` Liam R. Howlett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2rdgyyn36yn7ey5oopynmkerpfx4ghdazhgwh7p53z7oaf646h@7hahj6yyowgv \
--to=liam.howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=olsajiri@gmail.com \
--cc=paulmck@kernel.org \
--cc=sethjenkins@google.com \
--cc=sidhartha.kumar@oracle.com \
--cc=spasswolf@web.de \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox