From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.1 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F94BC43461 for ; Thu, 3 Sep 2020 17:54:35 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D199820829 for ; Thu, 3 Sep 2020 17:54:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IRSH23V4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D199820829 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 4976B6B0002; Thu, 3 Sep 2020 13:54:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 41FF06B0003; Thu, 3 Sep 2020 13:54:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2C08D6B0037; Thu, 3 Sep 2020 13:54:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0005.hostedemail.com [216.40.44.5]) by kanga.kvack.org (Postfix) with ESMTP id 13D0E6B0002 for ; Thu, 3 Sep 2020 13:54:34 -0400 (EDT) Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id C43CC1EE6 for ; Thu, 3 Sep 2020 17:54:33 +0000 (UTC) X-FDA: 77222500026.11.toys60_250287c270ab Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin11.hostedemail.com (Postfix) with ESMTP id 8CCCE180F8B80 for ; Thu, 3 Sep 2020 17:54:33 +0000 (UTC) X-HE-Tag: toys60_250287c270ab X-Filterd-Recvd-Size: 8064 Received: from mail-vs1-f66.google.com (mail-vs1-f66.google.com [209.85.217.66]) by imf50.hostedemail.com (Postfix) with ESMTP for ; Thu, 3 Sep 2020 17:54:33 +0000 (UTC) Received: by mail-vs1-f66.google.com with SMTP id x203so2203799vsc.11 for ; Thu, 03 Sep 2020 10:54:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l6IOdzqKPGgElqgvSdU70fOm5190wvdj1BPm7/Ysq2A=; b=IRSH23V4XgnKx/vS4g3AmUyZ1gB/qz8n1KJj19cDFeTIqV65KntKk+NAbgG+ZJ6khx Cgx3V3dYgq/0/BimxiQwBX2Me4/EbmzVRQegEOTE/kK42l3hPnMGOUevje8r58n+8rO+ +h0DtFmICyG6NN0BiXZOi0AlH+Py/gvh+HFPFWuLnD5xhKC7uCYkhwEGK3lX0OsE0C5G thb8EdtfV6ymC2lNEbu8Uw7GgDcMCJbrIJCJly7Lam0lMC0MA8z6cOixoKZKmL+6yM4R 7wT19W7bsSOB1jxE16+jQJqIc7ALqXk2sbzSjNQUo47zYrnj1u4/RGLPvaocViRJoZAR V3Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l6IOdzqKPGgElqgvSdU70fOm5190wvdj1BPm7/Ysq2A=; b=mL81f5tV9mczpb6gZQUAL8408M3QSGTTOXCWgHKcbNLdFlGk5kZA6MI4NVwC6eRWKo nj+jUmZB24Uh3oIvyWfFipUerhAJLok+linOWTj8gENoeXuxVa8GAZ6HKBKyOtQ/p/i5 hDVVmL23cAc7NTTTo22d8w8qY56Qy0OLl0CkDmWDMk8xmZndjfpJ1ZNuNlB9uOVTJWTf Lm6EZZ4bH5sBzsUD/l8dc0viw+NL+2WqipqzR7qZTKcqtjNLrmOzhLzGSKtjmMjRPuM7 jgwenb4HwMwqhiJjn0bYfnfjoY8FQRBeo18AYBb5Om+KoWrtTDNVooqm+0cq3wg0fPAf yjIw== X-Gm-Message-State: AOAM5308aYiEqG1IMls6GdVY64ttSueRN4b5MPuuZ+Lh0S8DRnT2rfzg E3fI1UsNqv0jdc9/gvPhLKmPzI2zh3XKBEBkIlLTTA== X-Google-Smtp-Source: ABdhPJyQCUoANgcxw/9AfSdzqOEiTm2NDpDGta7h0m4oFzDKwhMEi6PhHpQhqe5od7MxGNObXDylbWYr2Y3M5z/hXV8= X-Received: by 2002:a67:f4c2:: with SMTP id s2mr2435573vsn.4.1599155672013; Thu, 03 Sep 2020 10:54:32 -0700 (PDT) MIME-Version: 1.0 References: <20200901161459.11772-1-sumit.semwal@linaro.org> <20200901161459.11772-4-sumit.semwal@linaro.org> <20200903132537.mp5e6o6ptgbkghxe@box> <20200903134340.GA14765@casper.infradead.org> <20200903135806.ceoivs5pzlchg6uj@black.fi.intel.com> <202009031022.3834F692@keescook> In-Reply-To: <202009031022.3834F692@keescook> From: Colin Cross Date: Thu, 3 Sep 2020 10:54:20 -0700 Message-ID: Subject: Re: [PATCH v7 3/3] mm: add a field to store names for private anonymous memory To: Kees Cook Cc: "Kirill A. Shutemov" , Matthew Wilcox , "Kirill A. Shutemov" , Sumit Semwal , Andrew Morton , Linux-MM , lkml , Alexey Dobriyan , Jonathan Corbet , Mauro Carvalho Chehab , Michal Hocko , Alexey Gladkov , Jason Gunthorpe , Michel Lespinasse , =?UTF-8?Q?Michal_Koutn=C3=BD?= , Song Liu , Huang Ying , Vlastimil Babka , Yang Shi , chenqiwu , Mathieu Desnoyers , John Hubbard , Mike Christie , Bart Van Assche , Amit Pundir , Thomas Gleixner , Christian Brauner , Daniel Jordan , Adrian Reber , Nicolas Viennot , Al Viro , linux-fsdevel@vger.kernel.org, John Stultz , Pekka Enberg , Dave Hansen , Peter Zijlstra , Ingo Molnar , Oleg Nesterov , "Eric W. Biederman" , Jan Glauber , Rob Landley , Cyrill Gorcunov , "Serge E. Hallyn" , David Rientjes , Hugh Dickins , Rik van Riel , Mel Gorman , Tang Chen , Robin Holt , Shaohua Li , Sasha Levin , Johannes Weiner , Minchan Kim Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 8CCCE180F8B80 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam03 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Sep 3, 2020 at 10:31 AM Kees Cook wrote: > > On Thu, Sep 03, 2020 at 08:59:38AM -0700, Colin Cross wrote: > > On Thu, Sep 3, 2020 at 6:58 AM Kirill A. Shutemov > > wrote: > > > > > > On Thu, Sep 03, 2020 at 02:43:40PM +0100, Matthew Wilcox wrote: > > > > On Thu, Sep 03, 2020 at 04:25:37PM +0300, Kirill A. Shutemov wrote: > > > > > IIUC, it gives userspace direct control of content of /proc/$PID/maps and > > > > > /proc/$PID/smaps. There's no verification of the given string whatsoever. > > > > > I'm sure security experts would find clever usage of the feature :P > > > > > > > > What, you think that naming a VMA > > > > "\n55bc3e0f9000-55bc3e0fb000 r--p 00000000 fd:01 16777285 /bin/cat" might cause problems? > > > > The data is wrapped inside "[anon: ]", which limits the ability to > > masquerade as a real file. > > That's true, but it's insufficient to avoid spoofing parsers (e.g. if I > set my name to "hiding]\nfake-maps-line-here [anon: evil" > > > > Something that would cause buffer overrun or out-of-bound access in a > > > privilaged parser can be even more interesting. :) > > > > This is the same as /proc/pid/cmdline, which has no sanitization. > > It's also limited to 255 bytes, which should hopefully limit the > > opportunity for a buffer overrun. > > /proc/$pid/cmdline contains a "single item", in the sense that the > entire field is contained. Confusing parsers is certainly still > possible, but the bounds for it are distinct in that there is nothing > else in that file. > > The better analogy is with /proc/$pid/status, which is multi-line like > maps, and *does* perform escaping, e.g.: > > $ cat sneaky.c > #include > #include > > int main(int argc, char *argv[]) > { > char * const args[] = { > "four\nfive\nsix", > NULL, > }; > return execv("./one\ntwo\nthree", args); > } > $ head -n1 /proc/$pid/status > Name: one\ntwo\nthree > $ cat /proc/$pid/cmdline > four > five > six > > > > > Would it be enough to restrict the characters to isalnum()? > > > > > > I guess. > > > > > > But current design stores userspace pointer and there's time-of-check vs. > > > time-of-use problem. > > > > It copies from userspace into a kernel buffer at read time, any > > desired sanitization could easily be added there. > > I would prefer having strict validation of the input over escaping the > output, so to that end how about making close to "variable name" sane: > [-\.a-zA-Z0-9_ ] ? A quick skim of existing Android cases shows at least ":()" as well. I'm not sure what you mean by validation of the input - the input to the prctl is a userspace pointer, which is stored in the kernel for later reads. Storing the string in the kernel at prctl time would be infeasible. The kernel can only validate the value when producing /proc/pid/maps. It could replace disallowed characters with _ though. > if it should be wider than that, how about printable minus \n \r \f \v [ ] ? That would work fine for Android.