From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77996C47089 for ; Mon, 5 Dec 2022 22:13:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B75468E0002; Mon, 5 Dec 2022 17:13:15 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B25BC8E0001; Mon, 5 Dec 2022 17:13:15 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9EEAA8E0002; Mon, 5 Dec 2022 17:13:15 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 921D28E0001 for ; Mon, 5 Dec 2022 17:13:15 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 6C582120AA0 for ; Mon, 5 Dec 2022 22:13:15 +0000 (UTC) X-FDA: 80209654350.27.9C2B994 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by imf15.hostedemail.com (Postfix) with ESMTP id C18BFA0005 for ; Mon, 5 Dec 2022 22:13:14 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=rImC6wY5; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dNh7tcCc; dmarc=none; spf=pass (imf15.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=vbabka@suse.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670278395; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VoAnhUb0oelaApjHcv+l7NCW5POXG2u/N59IC5DVgok=; b=X3FPIrcn4b+VgmMetf2iF2btq4cXco7zOgC73LA/gvwamqmYRMhjHXTTyKzPE8kb7YxrXV lT5KyXw2R+T72kbRwP2wS4w/IZML2Lni7gkHxkpaN2QSG2Tm0VacMTL9w/TshAmYsJRP2G wwCZ9rJuDDSy+6wu/U/GeGiALOilh0o= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=rImC6wY5; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dNh7tcCc; dmarc=none; spf=pass (imf15.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=vbabka@suse.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670278395; a=rsa-sha256; cv=none; b=wAr5LZN96HIOWXlbiZ9NdKo06rksPaZ6fAC0ak1SYx6fPXRZa8AA3pj2vbkuYPT/M9vK8Z N7uMjTJsLYvN4Naj6vY1n6gPcoVdAMo5RatnLb2FBAErDFjwETvi6hqGnS1lLM2rQXDxPr h4zP6MYsjEMyi1cJ8xSBsGUeKOUkV74= Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C467721BF4; Mon, 5 Dec 2022 22:13:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1670278392; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VoAnhUb0oelaApjHcv+l7NCW5POXG2u/N59IC5DVgok=; b=rImC6wY5zHJCAqTTD5LYBhzeqMUbWNe25UIxKTmpQNRXMYDyoCHSfJQRlMbH+6nP7H+V7M DYK/S99Jdt0W+kYagHNbs6pRjR4M9fgvBEqhmxR0kYeN8WSN7m6H663tDPZHKAeKqhr3OQ t8gh/eae/xa1IrW6zP4lhNrfSdhsTis= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1670278392; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VoAnhUb0oelaApjHcv+l7NCW5POXG2u/N59IC5DVgok=; b=dNh7tcCc/DDvCHpndefZPOn6AlPa0huoMsUK3ihPtr1ozJDoaOpwjm0nug5fnILmFsJlDI nEbgafmFrhnUZXDg== Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap1.suse-dmz.suse.de (Postfix) with ESMTPS id 9222813326; Mon, 5 Dec 2022 22:13:12 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap1.suse-dmz.suse.de with ESMTPSA id 3vPqIvhsjmObcAAAGKfGzw (envelope-from ); Mon, 05 Dec 2022 22:13:12 +0000 Message-ID: Date: Mon, 5 Dec 2022 23:13:12 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs To: Jann Horn , Andrew Morton Cc: Liam Howlett , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , Yu Zhao , Jason Donenfeld , Matthew Wilcox , SeongJae Park References: <20221205192304.1957418-1-Liam.Howlett@oracle.com> <20221205123250.3fc552d96fcca5dc58be8443@linux-foundation.org> Content-Language: en-US From: Vlastimil Babka In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [0.38 / 9.00]; SUBJECT_HAS_UNDERSCORES(1.00)[]; BAYES_HAM(-0.22)[66.25%]; R_DKIM_ALLOW(-0.20)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; R_SPF_ALLOW(-0.20)[+ip4:195.135.220.0/24]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[suse.cz:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_SEVEN(0.00)[9]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[4]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_SIGNED(0.00)[hostedemail.com:s=arc-20220608:i=1]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[suse.cz]; TO_DN_SOME(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[] X-Rspamd-Queue-Id: C18BFA0005 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: xdxyzr37pwdbysqbhy8ek3d93rkicnzf X-HE-Tag: 1670278394-605878 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 12/5/22 22:55, Jann Horn wrote: > On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton wrote: >> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett wrote: >> > Add more sanity checks to the VMA that do_brk_flags() will expand. >> > Ensure the VMA matches basic merge requirements within the function >> > before calling can_vma_merge_after(). >> >> I't unclear what's actually being fixed here. >> >> Why do you feel we need the above changes? >> >> > Drop the duplicate checks from vm_brk_flags() since they will be >> > enforced later. >> > >> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()") >> >> Fixes in what way? Removing the duplicate checks? > > The old code would expand file VMAs on brk(), which is functionally > wrong and also dangerous in terms of locking because the brk() path > isn't designed for file VMAs and therefore doesn't lock the file > mapping. Checking can_vma_merge_after() ensures that new anonymous > VMAs can't be merged into file VMAs. > > See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/ > . I guess the point is that if we fix it still within 6.1, we don't have to devise how exactly this is exploitable, but due to the insufficient locking it most likely is, right?