From: Hugh Dickins <hughd@google.com>
To: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Joe Mario <jmario@redhat.com>, Barry Marson <bmarson@redhat.com>,
Rafael Aquini <aquini@redhat.com>
Subject: Re: [PATCH] mm/mmap: Map MAP_STACK to VM_STACK
Date: Tue, 18 Apr 2023 18:36:43 -0700 (PDT) [thread overview]
Message-ID: <cffc7454-614-1939-f235-7b139dc46b41@google.com> (raw)
In-Reply-To: <6c3c68b1-c4d4-dd82-58e8-f7013fb6c8e5@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]
On Tue, 18 Apr 2023, Waiman Long wrote:
> On 4/18/23 17:18, Andrew Morton wrote:
> > On Tue, 18 Apr 2023 17:02:30 -0400 Waiman Long <longman@redhat.com> wrote:
> >
> >> One of the flags of mmap(2) is MAP_STACK to request a memory segment
> >> suitable for a process or thread stack. The kernel currently ignores
> >> this flags. Glibc uses MAP_STACK when mmapping a thread stack. However,
> >> selinux has an execstack check in selinux_file_mprotect() which disallows
> >> a stack VMA to be made executable.
> >>
> >> Since MAP_STACK is a noop, it is possible for a stack VMA to be merged
> >> with an adjacent anonymous VMA. With that merging, using mprotect(2)
> >> to change a part of the merged anonymous VMA to make it executable may
> >> fail. This can lead to sporadic failure of applications that need to
> >> make those changes.
> > "Sporadic failure of applications" sounds quite serious. Can you
> > provide more details?
>
> The problem boils down to the fact that it is possible for user code to mmap a
> region of memory and then for the kernel to merge the VMA for that memory with
> the VMA for one of the application's thread stacks. This is causing random
> SEGVs with one of our large customer application.
>
> At a high level, this is what's happening:
>
> 1) App runs creating lots of threads.
> 2) It mmap's 256K pages of anonymous memory.
> 3) It writes executable code to that memory.
> 4) It calls mprotect() with PROT_EXEC on that memory so
> it can subsequently execute the code.
>
> The above mprotect() will fail if the mmap'd region's VMA gets merged with the
> VMA for one of the thread stacks. That's because the default RHEL SELinux
> policy is to not allow executable stacks.
Then wouldn't the bug be at the SELinux end? VMAs may have been merged
already, but the mprotect() with PROT_EXEC of the good non-stack range
will then split that area off from the stack again - maybe the SELinux
check does not understand that must happen?
Hugh
next prev parent reply other threads:[~2023-04-19 1:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 21:02 Waiman Long
2023-04-18 21:18 ` Andrew Morton
2023-04-19 1:16 ` Waiman Long
2023-04-19 1:36 ` Hugh Dickins [this message]
2023-04-19 1:45 ` Waiman Long
2023-04-19 3:24 ` Matthew Wilcox
2023-04-19 14:38 ` Paul Moore
2023-04-19 3:46 ` Matthew Wilcox
2023-04-19 15:07 ` Waiman Long
2023-04-19 15:09 ` Matthew Wilcox
2023-04-19 16:00 ` Joe Mario
2023-04-19 23:21 ` Jane Chu
2023-04-20 0:00 ` Jane Chu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cffc7454-614-1939-f235-7b139dc46b41@google.com \
--to=hughd@google.com \
--cc=akpm@linux-foundation.org \
--cc=aquini@redhat.com \
--cc=bmarson@redhat.com \
--cc=jmario@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=longman@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox