From: Kees Cook <keescook@chromium.org>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Hector Marco-Gisbert <hecmargi@upv.es>,
Ismael Ripoll Ripoll <iripoll@upv.es>,
Alexander Viro <viro@zeniv.linux.org.uk>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Chen Gang <gang.chen.5i5j@gmail.com>,
Michal Hocko <mhocko@suse.com>,
Konstantin Khlebnikov <koct9i@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] mm: refuse wrapped vm_brk requests
Date: Mon, 11 Jul 2016 14:01:08 -0400 [thread overview]
Message-ID: <CAGXu5j+efUrhOTikpuYK0V8Eqv58f5rQBMOYDqiVM-JWrqRbLA@mail.gmail.com> (raw)
In-Reply-To: <20160711122826.GA969@redhat.com>
On Mon, Jul 11, 2016 at 8:28 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> I think both patches are fine, just a question.
>
> On 07/08, Kees Cook wrote:
>>
>> -static int do_brk(unsigned long addr, unsigned long len)
>> +static int do_brk(unsigned long addr, unsigned long request)
>> {
>> struct mm_struct *mm = current->mm;
>> struct vm_area_struct *vma, *prev;
>> - unsigned long flags;
>> + unsigned long flags, len;
>> struct rb_node **rb_link, *rb_parent;
>> pgoff_t pgoff = addr >> PAGE_SHIFT;
>> int error;
>>
>> - len = PAGE_ALIGN(len);
>> + len = PAGE_ALIGN(request);
>> + if (len < request)
>> + return -ENOMEM;
>
> So iiuc "len < request" is only possible if len == 0, right?
Oh, hrm, good point.
>
>> if (!len)
>> return 0;
>
> and thus this patch fixes the error code returned by do_brk() in case
> of overflow, now it returns -ENOMEM rather than zero. Perhaps
>
> if (!len)
> return 0;
> len = PAGE_ALIGN(len);
> if (!len)
> return -ENOMEM;
>
> would be more clear but this is subjective.
I'm fine either way.
> I am wondering if we should shift this overflow check to the caller(s).
> Say, sys_brk() does find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE)
> before do_brk(), and in case of overflow find_vma_intersection() can
> wrongly return NULL.
>
> Then do_brk() will be called with len = -oldbrk, this can overflow or
> not but in any case this doesn't look right too.
>
> Or I am totally confused?
I think the callers shouldn't request a negative value, sure, but
vm_brk should notice and refuse it.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Hector Marco-Gisbert <hecmargi@upv.es>,
Ismael Ripoll Ripoll <iripoll@upv.es>,
Alexander Viro <viro@zeniv.linux.org.uk>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Chen Gang <gang.chen.5i5j@gmail.com>,
Michal Hocko <mhocko@suse.com>,
Konstantin Khlebnikov <koct9i@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] mm: refuse wrapped vm_brk requests
Date: Mon, 11 Jul 2016 14:01:08 -0400 [thread overview]
Message-ID: <CAGXu5j+efUrhOTikpuYK0V8Eqv58f5rQBMOYDqiVM-JWrqRbLA@mail.gmail.com> (raw)
In-Reply-To: <20160711122826.GA969@redhat.com>
On Mon, Jul 11, 2016 at 8:28 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> I think both patches are fine, just a question.
>
> On 07/08, Kees Cook wrote:
>>
>> -static int do_brk(unsigned long addr, unsigned long len)
>> +static int do_brk(unsigned long addr, unsigned long request)
>> {
>> struct mm_struct *mm = current->mm;
>> struct vm_area_struct *vma, *prev;
>> - unsigned long flags;
>> + unsigned long flags, len;
>> struct rb_node **rb_link, *rb_parent;
>> pgoff_t pgoff = addr >> PAGE_SHIFT;
>> int error;
>>
>> - len = PAGE_ALIGN(len);
>> + len = PAGE_ALIGN(request);
>> + if (len < request)
>> + return -ENOMEM;
>
> So iiuc "len < request" is only possible if len == 0, right?
Oh, hrm, good point.
>
>> if (!len)
>> return 0;
>
> and thus this patch fixes the error code returned by do_brk() in case
> of overflow, now it returns -ENOMEM rather than zero. Perhaps
>
> if (!len)
> return 0;
> len = PAGE_ALIGN(len);
> if (!len)
> return -ENOMEM;
>
> would be more clear but this is subjective.
I'm fine either way.
> I am wondering if we should shift this overflow check to the caller(s).
> Say, sys_brk() does find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE)
> before do_brk(), and in case of overflow find_vma_intersection() can
> wrongly return NULL.
>
> Then do_brk() will be called with len = -oldbrk, this can overflow or
> not but in any case this doesn't look right too.
>
> Or I am totally confused?
I think the callers shouldn't request a negative value, sure, but
vm_brk should notice and refuse it.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-07-11 18:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-08 21:48 [PATCH 0/2] binfmt_elf: fix calculations for bss padding Kees Cook
2016-07-08 21:48 ` Kees Cook
2016-07-08 21:48 ` [PATCH 1/2] " Kees Cook
2016-07-08 21:48 ` Kees Cook
2016-07-12 22:32 ` Kees Cook
2016-07-12 22:32 ` Kees Cook
2016-07-08 21:48 ` [PATCH 2/2] mm: refuse wrapped vm_brk requests Kees Cook
2016-07-08 21:48 ` Kees Cook
2016-07-11 12:28 ` Oleg Nesterov
2016-07-11 12:28 ` Oleg Nesterov
2016-07-11 18:01 ` Kees Cook [this message]
2016-07-11 18:01 ` Kees Cook
2016-07-12 13:39 ` Oleg Nesterov
2016-07-12 13:39 ` Oleg Nesterov
2016-07-12 17:15 ` Kees Cook
2016-07-12 17:15 ` Kees Cook
2016-07-13 17:00 ` Oleg Nesterov
2016-07-13 17:00 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5j+efUrhOTikpuYK0V8Eqv58f5rQBMOYDqiVM-JWrqRbLA@mail.gmail.com \
--to=keescook@chromium.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=gang.chen.5i5j@gmail.com \
--cc=hecmargi@upv.es \
--cc=iripoll@upv.es \
--cc=kirill.shutemov@linux.intel.com \
--cc=koct9i@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.