From: Matthew Wilcox <willy@infradead.org>
To: Waiman Long <longman@redhat.com>
Cc: Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Joe Mario <jmario@redhat.com>, Barry Marson <bmarson@redhat.com>,
Rafael Aquini <aquini@redhat.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
selinux@vger.kernel.org, James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] mm/mmap: Map MAP_STACK to VM_STACK
Date: Wed, 19 Apr 2023 04:24:28 +0100 [thread overview]
Message-ID: <ZD9e7A4gaZ6qkGhy@casper.infradead.org> (raw)
In-Reply-To: <22aee5ea-dd6b-ac2b-0b28-a25ee6602b48@redhat.com>
On Tue, Apr 18, 2023 at 09:45:34PM -0400, Waiman Long wrote:
>
> On 4/18/23 21:36, Hugh Dickins wrote:
> > On Tue, 18 Apr 2023, Waiman Long wrote:
> > > On 4/18/23 17:18, Andrew Morton wrote:
> > > > On Tue, 18 Apr 2023 17:02:30 -0400 Waiman Long <longman@redhat.com> wrote:
> > > >
> > > > > One of the flags of mmap(2) is MAP_STACK to request a memory segment
> > > > > suitable for a process or thread stack. The kernel currently ignores
> > > > > this flags. Glibc uses MAP_STACK when mmapping a thread stack. However,
> > > > > selinux has an execstack check in selinux_file_mprotect() which disallows
> > > > > a stack VMA to be made executable.
> > > > >
> > > > > Since MAP_STACK is a noop, it is possible for a stack VMA to be merged
> > > > > with an adjacent anonymous VMA. With that merging, using mprotect(2)
> > > > > to change a part of the merged anonymous VMA to make it executable may
> > > > > fail. This can lead to sporadic failure of applications that need to
> > > > > make those changes.
> > > > "Sporadic failure of applications" sounds quite serious. Can you
> > > > provide more details?
> > > The problem boils down to the fact that it is possible for user code to mmap a
> > > region of memory and then for the kernel to merge the VMA for that memory with
> > > the VMA for one of the application's thread stacks. This is causing random
> > > SEGVs with one of our large customer application.
> > >
> > > At a high level, this is what's happening:
> > >
> > > 1) App runs creating lots of threads.
> > > 2) It mmap's 256K pages of anonymous memory.
> > > 3) It writes executable code to that memory.
> > > 4) It calls mprotect() with PROT_EXEC on that memory so
> > > it can subsequently execute the code.
> > >
> > > The above mprotect() will fail if the mmap'd region's VMA gets merged with the
> > > VMA for one of the thread stacks. That's because the default RHEL SELinux
> > > policy is to not allow executable stacks.
> > Then wouldn't the bug be at the SELinux end? VMAs may have been merged
> > already, but the mprotect() with PROT_EXEC of the good non-stack range
> > will then split that area off from the stack again - maybe the SELinux
> > check does not understand that must happen?
>
> The SELinux check is done per VMA, not a region within a VMA. After VMA
> merging, SELinux is probably not able to determine which part of a VMA is a
> stack unless we keep that information somewhere and provide an API for
> SELinux to query. That can be quite a lot of work. So the easiest way to
> prevent this problem is to avoid merging a stack VMA with a regular
> anonymous VMA.
To paraphrase you, "Yes, SELinux is buggy, but we don't want to fix it".
Cc'ing the SELinux people so it can be fixed properly.
next prev parent reply other threads:[~2023-04-19 3:24 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 21:02 Waiman Long
2023-04-18 21:18 ` Andrew Morton
2023-04-19 1:16 ` Waiman Long
2023-04-19 1:36 ` Hugh Dickins
2023-04-19 1:45 ` Waiman Long
2023-04-19 3:24 ` Matthew Wilcox [this message]
2023-04-19 14:38 ` Paul Moore
2023-04-19 3:46 ` Matthew Wilcox
2023-04-19 15:07 ` Waiman Long
2023-04-19 15:09 ` Matthew Wilcox
2023-04-19 16:00 ` Joe Mario
2023-04-19 23:21 ` Jane Chu
2023-04-20 0:00 ` Jane Chu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZD9e7A4gaZ6qkGhy@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=aquini@redhat.com \
--cc=bmarson@redhat.com \
--cc=eparis@parisplace.org \
--cc=hughd@google.com \
--cc=jmario@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=longman@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox