From: Matthew Wilcox <willy@infradead.org>
To: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Joe Mario <jmario@redhat.com>, Barry Marson <bmarson@redhat.com>,
Rafael Aquini <aquini@redhat.com>
Subject: Re: [PATCH] mm/mmap: Map MAP_STACK to VM_STACK
Date: Wed, 19 Apr 2023 16:09:02 +0100 [thread overview]
Message-ID: <ZEAEDqVhS0qz6Wx1@casper.infradead.org> (raw)
In-Reply-To: <9f92d530-1cfc-6e50-a717-321ac64ed1c2@redhat.com>
On Wed, Apr 19, 2023 at 11:07:04AM -0400, Waiman Long wrote:
> On 4/18/23 23:46, Matthew Wilcox wrote:
> > On Tue, Apr 18, 2023 at 09:16:37PM -0400, Waiman Long wrote:
> > > 1) App runs creating lots of threads.
> > > 2) It mmap's 256K pages of anonymous memory.
> > > 3) It writes executable code to that memory.
> > > 4) It calls mprotect() with PROT_EXEC on that memory so
> > > it can subsequently execute the code.
> > >
> > > The above mprotect() will fail if the mmap'd region's VMA gets merged with
> > > the VMA for one of the thread stacks. That's because the default RHEL
> > > SELinux policy is to not allow executable stacks.
> > By the way, this is a daft policy. The policy you really want is
> > EXEC|WRITE is not allowed. A non-writable stack is useless, so it's
> > actually a superset of your current policy. Forbidding _simultaneous_
> > write and executable is just good programming. This way, you don't need
> > to care about the underlying VMA's current permissions, you just need
> > to do:
> >
> > if ((prot & (PROT_EXEC|PROT_WRITE)) == (PROT_EXEC|PROT_WRITE))
> > return -EACCESS;
>
> I am not totally sure if the application changes the VMA to read-only first.
> Even if it does that, it highlights another possible issue when an anonymous
> VMA is merged with a stack VMA. Either the mprotect() to write-protect the
> VMA will fail or the application will segfault if it writes stuff to the
> stack. This particular issue is not related to SELinux. It provides another
> good idea why we should avoid merging stack VMA to anonymous VMA.
mprotect will split the VMA into two VMAs, one that is
PROT_READ|PROT_WRITE and one the is PROT_READ|PROT_EXEC.
next prev parent reply other threads:[~2023-04-19 15:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 21:02 Waiman Long
2023-04-18 21:18 ` Andrew Morton
2023-04-19 1:16 ` Waiman Long
2023-04-19 1:36 ` Hugh Dickins
2023-04-19 1:45 ` Waiman Long
2023-04-19 3:24 ` Matthew Wilcox
2023-04-19 14:38 ` Paul Moore
2023-04-19 3:46 ` Matthew Wilcox
2023-04-19 15:07 ` Waiman Long
2023-04-19 15:09 ` Matthew Wilcox [this message]
2023-04-19 16:00 ` Joe Mario
2023-04-19 23:21 ` Jane Chu
2023-04-20 0:00 ` Jane Chu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZEAEDqVhS0qz6Wx1@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=aquini@redhat.com \
--cc=bmarson@redhat.com \
--cc=jmario@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=longman@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox