From: Michal Hocko <mhocko@kernel.org>
To: Baoquan He <bhe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>, Jiri Kosina <jkosina@suse.cz>,
Al Viro <viro@zeniv.linux.org.uk>, Ingo Molnar <mingo@elte.hu>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: MAP_FIXED for ELF mappings
Date: Wed, 4 Oct 2017 17:11:14 +0200 [thread overview]
Message-ID: <20171004151114.7gwppd5qh242laor@dhcp22.suse.cz> (raw)
In-Reply-To: <20171004150334.GB31992@x1>
On Wed 04-10-17 23:03:34, Baoquan He wrote:
> On 10/04/17 at 09:50am, Michal Hocko wrote:
> > Hi,
> > while studying CVE-2017-1000253 and the MAP_FIXED usage in load_elf*
> > code paths I have stumbled over MAP_FIXED usage for elf segments
> > mapping. I am not really familiar with this area much so I might draw
> > completely incorrect conclusions here but I am really wondering why we
> > are doing MAP_FIXED there at all.
> >
> > I can see why some segments really have to be mapped at a specific
> > address but I wonder whether MAP_FIXED is the right tool to achieve
> > that. It seems to me that MAP_FIXED is fundamentally dangerous because
> > it unmaps any existing mapping. I assume that nothing should be really
> > mapped in the requested range that early so we can only stumble over
> > something when the address space randomization place things unexpectedly
> > (which was the case of the above mentioned CVE AFAIU).
> >
> > So my primary question is whether we can/should simply drop MAP_FIXED
> > from elf_map at all. Instead we should test whether the mapping was
> > successful for the requested address and fail otherwise. I realize that
> > failing due to something that a user has no idea about sucks a lot but
> > it seems to me safer to simply complain into the log and fail is a safer
> > option.
>
> Sorry to interrupt. I tried below example.c and example2.c files and
> compile and link them with fpie and pie. Seems in the final PIE
> executable, the local global is pc relative. Means the data segment has
> to be put after the code segment though PIE program. Then MAP_FIXED is a
> good to have flag, especially we have counted in the total_size to
> search an area to cover the whole dynamic program and get the load_bias.
> It's no way to fail to get map agrea in case load_addr_set == 1.
> So with MAP_FIXED set, we won't take time to search the mm vma rb
> tree when load_addr_set == 1, but just return the specified addr directly,
> looks more efficient.
I am sorry, but I do not follow. elf_map should get the address hint to
use. MAP_FIXED merely unmaps anything underneath if there is something
which is exactly what I called dangerous. Without the flag we would just
fail in that case. Or, are you suggesting that MAP_FIXED is a
performance optimization because we are not doing find_vma in that case?
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2017-10-04 15:11 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-04 7:50 MAP_FIXED for ELF mappings Michal Hocko
2017-10-04 7:59 ` Michal Hocko
2017-10-04 15:03 ` Baoquan He
2017-10-04 15:11 ` Michal Hocko [this message]
2017-10-04 15:12 ` Baoquan He
2017-10-04 15:17 ` Michal Hocko
2017-10-04 15:37 ` Baoquan He
2017-10-04 17:12 ` Michal Hocko
2017-10-04 17:15 ` Linus Torvalds
2017-10-04 17:28 ` Michal Hocko
2017-10-05 16:33 ` Oleg Nesterov
2017-10-05 16:42 ` Michal Hocko
2017-10-16 13:44 ` [PATCH 0/2] fs, elf: get rid of MAP_FIXED from the loader Michal Hocko
2017-10-16 13:44 ` [PATCH 1/2] fs, elf: drop MAP_FIXED usage from elf_map Michal Hocko
2017-10-16 16:39 ` Kees Cook
2017-10-16 19:00 ` Michal Hocko
2017-10-16 19:00 ` Michal Hocko
2017-10-16 20:02 ` James Hogan
2017-10-16 20:02 ` James Hogan
2017-10-17 7:37 ` Michal Hocko
2017-10-17 7:37 ` Michal Hocko
2017-10-17 8:35 ` James Hogan
2017-10-17 8:35 ` James Hogan
2017-10-17 8:56 ` Michal Hocko
2017-10-17 12:26 ` Baoquan He
2017-10-17 12:56 ` Michal Hocko
2017-10-17 13:22 ` Baoquan He
2017-10-17 13:33 ` Michal Hocko
2017-10-17 13:42 ` Baoquan He
2017-10-16 13:44 ` [PATCH 2/2] fs, elf: drop MAP_FIXED from initial ET_DYN segment Michal Hocko
2017-10-16 16:44 ` Kees Cook
2017-10-16 18:43 ` Michal Hocko
2017-10-16 19:38 ` Kees Cook
2017-10-17 9:04 ` Michal Hocko
2017-10-17 20:01 ` Kees Cook
2017-10-19 11:20 ` Michal Hocko
2017-10-19 17:19 ` Kees Cook
2017-10-20 8:45 ` Michal Hocko
2017-10-20 14:12 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171004151114.7gwppd5qh242laor@dhcp22.suse.cz \
--to=mhocko@kernel.org \
--cc=bhe@redhat.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.