[PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
@ 2022-12-05 19:23 Liam Howlett
  2022-12-05 20:32 ` Andrew Morton
  0 siblings, 1 reply; 7+ messages in thread
From: Liam Howlett @ 2022-12-05 19:23 UTC (permalink / raw)
  To: linux-mm, linux-kernel, Andrew Morton
  Cc: Yu Zhao, Jason Donenfeld, Matthew Wilcox, SeongJae Park,
	Vlastimil Babka, Liam Howlett, Jann Horn

Add more sanity checks to the VMA that do_brk_flags() will expand.
Ensure the VMA matches basic merge requirements within the function
before calling can_vma_merge_after().

Drop the duplicate checks from vm_brk_flags() since they will be
enforced later.

Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 mm/mmap.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index a5eb2f175da0..5d48170fc2b2 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2946,9 +2946,9 @@ static int do_brk_flags(struct ma_state *mas, struct vm_area_struct *vma,
 	 * Expand the existing vma if possible; Note that singular lists do not
 	 * occur after forking, so the expand will only happen on new VMAs.
 	 */
-	if (vma &&
-	    (!vma->anon_vma || list_is_singular(&vma->anon_vma_chain)) &&
-	    ((vma->vm_flags & ~VM_SOFTDIRTY) == flags)) {
+	if (vma && vma->vm_end == addr && !vma_policy(vma) &&
+	    can_vma_merge_after(vma, flags, NULL, NULL,
+				addr >> PAGE_SHIFT, NULL_VM_UFFD_CTX, NULL)) {
 		mas_set_range(mas, vma->vm_start, addr + len - 1);
 		if (mas_preallocate(mas, vma, GFP_KERNEL))
 			return -ENOMEM;
@@ -3035,11 +3035,6 @@ int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
 		goto munmap_failed;
 
 	vma = mas_prev(&mas, 0);
-	if (!vma || vma->vm_end != addr || vma_policy(vma) ||
-	    !can_vma_merge_after(vma, flags, NULL, NULL,
-				 addr >> PAGE_SHIFT, NULL_VM_UFFD_CTX, NULL))
-		vma = NULL;
-
 	ret = do_brk_flags(&mas, vma, addr, len, flags);
 	populate = ((mm->def_flags & VM_LOCKED) != 0);
 	mmap_write_unlock(mm);
-- 
2.35.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
  2022-12-05 19:23 [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs Liam Howlett
@ 2022-12-05 20:32 ` Andrew Morton
  2022-12-05 21:55   ` Jann Horn
  0 siblings, 1 reply; 7+ messages in thread
From: Andrew Morton @ 2022-12-05 20:32 UTC (permalink / raw)
  To: Liam Howlett
  Cc: linux-mm, linux-kernel, Yu Zhao, Jason Donenfeld, Matthew Wilcox,
	SeongJae Park, Vlastimil Babka, Jann Horn

On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:

> Add more sanity checks to the VMA that do_brk_flags() will expand.
> Ensure the VMA matches basic merge requirements within the function
> before calling can_vma_merge_after().

I't unclear what's actually being fixed here.

Why do you feel we need the above changes?

> Drop the duplicate checks from vm_brk_flags() since they will be
> enforced later.
> 
> Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")

Fixes in what way?  Removing the duplicate checks?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
  2022-12-05 20:32 ` Andrew Morton
@ 2022-12-05 21:55   ` Jann Horn
  2022-12-05 22:13     ` Vlastimil Babka
  0 siblings, 1 reply; 7+ messages in thread
From: Jann Horn @ 2022-12-05 21:55 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Liam Howlett, linux-mm, linux-kernel, Yu Zhao, Jason Donenfeld,
	Matthew Wilcox, SeongJae Park, Vlastimil Babka

On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:
> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> > Ensure the VMA matches basic merge requirements within the function
> > before calling can_vma_merge_after().
>
> I't unclear what's actually being fixed here.
>
> Why do you feel we need the above changes?
>
> > Drop the duplicate checks from vm_brk_flags() since they will be
> > enforced later.
> >
> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
>
> Fixes in what way?  Removing the duplicate checks?

The old code would expand file VMAs on brk(), which is functionally
wrong and also dangerous in terms of locking because the brk() path
isn't designed for file VMAs and therefore doesn't lock the file
mapping. Checking can_vma_merge_after() ensures that new anonymous
VMAs can't be merged into file VMAs.

See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
  2022-12-05 21:55   ` Jann Horn
@ 2022-12-05 22:13     ` Vlastimil Babka
  2022-12-05 22:22       ` Jann Horn
  2022-12-05 22:26       ` Vlastimil Babka
  0 siblings, 2 replies; 7+ messages in thread
From: Vlastimil Babka @ 2022-12-05 22:13 UTC (permalink / raw)
  To: Jann Horn, Andrew Morton
  Cc: Liam Howlett, linux-mm, linux-kernel, Yu Zhao, Jason Donenfeld,
	Matthew Wilcox, SeongJae Park

On 12/5/22 22:55, Jann Horn wrote:
> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:
>> > Add more sanity checks to the VMA that do_brk_flags() will expand.
>> > Ensure the VMA matches basic merge requirements within the function
>> > before calling can_vma_merge_after().
>>
>> I't unclear what's actually being fixed here.
>>
>> Why do you feel we need the above changes?
>>
>> > Drop the duplicate checks from vm_brk_flags() since they will be
>> > enforced later.
>> >
>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
>>
>> Fixes in what way?  Removing the duplicate checks?
> 
> The old code would expand file VMAs on brk(), which is functionally
> wrong and also dangerous in terms of locking because the brk() path
> isn't designed for file VMAs and therefore doesn't lock the file
> mapping. Checking can_vma_merge_after() ensures that new anonymous
> VMAs can't be merged into file VMAs.
> 
> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
> .

I guess the point is that if we fix it still within 6.1, we don't have to
devise how exactly this is exploitable, but due to the insufficient locking
it most likely is, right?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
  2022-12-05 22:13     ` Vlastimil Babka
@ 2022-12-05 22:22       ` Jann Horn
  2022-12-05 22:26       ` Vlastimil Babka
  1 sibling, 0 replies; 7+ messages in thread
From: Jann Horn @ 2022-12-05 22:22 UTC (permalink / raw)
  To: Vlastimil Babka
  Cc: Andrew Morton, Liam Howlett, linux-mm, linux-kernel, Yu Zhao,
	Jason Donenfeld, Matthew Wilcox, SeongJae Park

On Mon, Dec 5, 2022 at 11:13 PM Vlastimil Babka <vbabka@suse.cz> wrote:
> On 12/5/22 22:55, Jann Horn wrote:
> > On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:
> >> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> >> > Ensure the VMA matches basic merge requirements within the function
> >> > before calling can_vma_merge_after().
> >>
> >> I't unclear what's actually being fixed here.
> >>
> >> Why do you feel we need the above changes?
> >>
> >> > Drop the duplicate checks from vm_brk_flags() since they will be
> >> > enforced later.
> >> >
> >> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
> >>
> >> Fixes in what way?  Removing the duplicate checks?
> >
> > The old code would expand file VMAs on brk(), which is functionally
> > wrong and also dangerous in terms of locking because the brk() path
> > isn't designed for file VMAs and therefore doesn't lock the file
> > mapping. Checking can_vma_merge_after() ensures that new anonymous
> > VMAs can't be merged into file VMAs.
> >
> > See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
> > .
>
> I guess the point is that if we fix it still within 6.1, we don't have to
> devise how exactly this is exploitable,

Yeah, that was sort of my thinking.

> but due to the insufficient locking
> it most likely is, right?

To be honest, I don't really know how bad this is - pretty much the
only thing we're doing here is to change the VMA end. I don't know if
that messes up the address_space's interval tree or something?
I have no clue how that data structure looks.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
  2022-12-05 22:13     ` Vlastimil Babka
  2022-12-05 22:22       ` Jann Horn
@ 2022-12-05 22:26       ` Vlastimil Babka
  2022-12-06 17:12         ` Liam Howlett
  1 sibling, 1 reply; 7+ messages in thread
From: Vlastimil Babka @ 2022-12-05 22:26 UTC (permalink / raw)
  To: Jann Horn, Andrew Morton
  Cc: Liam Howlett, linux-mm, linux-kernel, Yu Zhao, Jason Donenfeld,
	Matthew Wilcox, SeongJae Park

On 12/5/22 23:13, Vlastimil Babka wrote:
> On 12/5/22 22:55, Jann Horn wrote:
>> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:
>>> > Add more sanity checks to the VMA that do_brk_flags() will expand.
>>> > Ensure the VMA matches basic merge requirements within the function
>>> > before calling can_vma_merge_after().
>>>
>>> I't unclear what's actually being fixed here.
>>>
>>> Why do you feel we need the above changes?
>>>
>>> > Drop the duplicate checks from vm_brk_flags() since they will be
>>> > enforced later.
>>> >
>>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
>>>
>>> Fixes in what way?  Removing the duplicate checks?
>> 
>> The old code would expand file VMAs on brk(), which is functionally
>> wrong and also dangerous in terms of locking because the brk() path
>> isn't designed for file VMAs and therefore doesn't lock the file
>> mapping. Checking can_vma_merge_after() ensures that new anonymous
>> VMAs can't be merged into file VMAs.
>> 
>> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/

And yeah, that URL should have been a Link: in the patch. And the scenario
it's fixing described in a bit more detail?

> I guess the point is that if we fix it still within 6.1, we don't have to
> devise how exactly this is exploitable, but due to the insufficient locking
> it most likely is, right?


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs
  2022-12-05 22:26       ` Vlastimil Babka
@ 2022-12-06 17:12         ` Liam Howlett
  0 siblings, 0 replies; 7+ messages in thread
From: Liam Howlett @ 2022-12-06 17:12 UTC (permalink / raw)
  To: Vlastimil Babka
  Cc: Jann Horn, Andrew Morton, linux-mm, linux-kernel, Yu Zhao,
	Jason Donenfeld, Matthew Wilcox, SeongJae Park

* Vlastimil Babka <vbabka@suse.cz> [221205 17:26]:
> On 12/5/22 23:13, Vlastimil Babka wrote:
> > On 12/5/22 22:55, Jann Horn wrote:
> >> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@oracle.com> wrote:
> >>> > Add more sanity checks to the VMA that do_brk_flags() will expand.
> >>> > Ensure the VMA matches basic merge requirements within the function
> >>> > before calling can_vma_merge_after().
> >>>
> >>> I't unclear what's actually being fixed here.
> >>>
> >>> Why do you feel we need the above changes?
> >>>
> >>> > Drop the duplicate checks from vm_brk_flags() since they will be
> >>> > enforced later.
> >>> >
> >>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
> >>>
> >>> Fixes in what way?  Removing the duplicate checks?
> >> 
> >> The old code would expand file VMAs on brk(), which is functionally
> >> wrong and also dangerous in terms of locking because the brk() path
> >> isn't designed for file VMAs and therefore doesn't lock the file
> >> mapping. Checking can_vma_merge_after() ensures that new anonymous
> >> VMAs can't be merged into file VMAs.
> >> 
> >> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/
> 
> And yeah, that URL should have been a Link: in the patch. And the scenario
> it's fixing described in a bit more detail?

Yes, sorry.  I should have made a better effort in describing what I was
fixing.  It seems I understated what was happening.

> 
> > I guess the point is that if we fix it still within 6.1, we don't have to
> > devise how exactly this is exploitable, but due to the insufficient locking
> > it most likely is, right?
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-12-06 17:13 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-05 19:23 [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs Liam Howlett
2022-12-05 20:32 ` Andrew Morton
2022-12-05 21:55   ` Jann Horn
2022-12-05 22:13     ` Vlastimil Babka
2022-12-05 22:22       ` Jann Horn
2022-12-05 22:26       ` Vlastimil Babka
2022-12-06 17:12         ` Liam Howlett

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.