From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=zsOj=CM=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.1 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D9229C43461
	for <linux-mm@archiver.kernel.org>; Thu,  3 Sep 2020 15:59:53 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 6694E2072A
	for <linux-mm@archiver.kernel.org>; Thu,  3 Sep 2020 15:59:53 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Nr+gNyQ0"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6694E2072A
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 997326B0037; Thu,  3 Sep 2020 11:59:52 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 948226B005A; Thu,  3 Sep 2020 11:59:52 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 837706B005C; Thu,  3 Sep 2020 11:59:52 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0202.hostedemail.com [216.40.44.202])
	by kanga.kvack.org (Postfix) with ESMTP id 6A18A6B0037
	for <linux-mm@kvack.org>; Thu,  3 Sep 2020 11:59:52 -0400 (EDT)
Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 1F3EA180AD817
	for <linux-mm@kvack.org>; Thu,  3 Sep 2020 15:59:52 +0000 (UTC)
X-FDA: 77222211024.07.books05_4d027c1270aa
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin07.hostedemail.com (Postfix) with ESMTP id 87F931803F9B1
	for <linux-mm@kvack.org>; Thu,  3 Sep 2020 15:59:51 +0000 (UTC)
X-HE-Tag: books05_4d027c1270aa
X-Filterd-Recvd-Size: 6157
Received: from mail-ua1-f65.google.com (mail-ua1-f65.google.com [209.85.222.65])
	by imf10.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu,  3 Sep 2020 15:59:50 +0000 (UTC)
Received: by mail-ua1-f65.google.com with SMTP id u48so1079115uau.0
        for <linux-mm@kvack.org>; Thu, 03 Sep 2020 08:59:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=9K6xo2GNsceSDmu4Jd9ljWgFRKVEP3yKAQkAILEDBdw=;
        b=Nr+gNyQ0qQe3FTWVMX/WP+JSAO7zhSAAP/pOCqPK+phKWFaZL8vsctTK3Aim3qn98l
         +kNLgzyPpySfhywHXPt0sG2zzw/wQHUWzFVByjAfd2BIOT4PQwfX979fBbORJkF5z2xv
         iocOJgjL5RigLTe0rb8SRkr73n/3vl/MdXUzDXUfP3fDUl+KePSHOVKFVfnF4MvFDAqB
         lvlfMxlVDoAHqRJGC/YNcRDIeI/1/lqVt1Njsq3YZDwz3E1e2p1JpZ3lsuCn6DWai9HF
         Qo1InXQRx7hUx+2TfUFT6bndb1Krgv45IntdcBigalRLqujiu/KGVG6KZeknsWGG0vs7
         BqFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=9K6xo2GNsceSDmu4Jd9ljWgFRKVEP3yKAQkAILEDBdw=;
        b=MN/FMJUmcnSawZ/BWXqIFyQZrOcFQIZLtGWtlvmubHwyhy1Acgrq2fzQPX7+fFvEBE
         nFoZq64TVYd6Spic7jto6yc74QIcfOztXg8xuo/21fLylfeu+JTE5JKCMlyNEkI9AjvZ
         5ZPtnu6jZKhNf3/L1FgVH/m7W472bfnxEBmxT3t8gzgIFcFEX+8drFclzNpt/iWVl9Mv
         9CT/qTyd/oVVJn7/whqmL4INeoFjZ25ukYMx7rZuvK+FzgLqx+jbmUi5WinrunuKpdxu
         eI1VXSciqyBaEAcz4HfMgYoAHGUm4Iq6ymNwgqVyDDJi2+ukiJieCeAQAnTbzWPC2gLn
         UPlQ==
X-Gm-Message-State: AOAM533xQ52ACj25Nx0FWald4kAzXY35rIBwHJ7E4mcL//s2N5E2LO2d
	MhWezE4dATeQ692BAwtgynIWr9CRrsB95z7BwamdRg==
X-Google-Smtp-Source: ABdhPJyEl6nyEQshO4UyxIJZPMUAHvCCaysWdYruVTeXAaFUsfIycvxuP9+X89xd4+9pFGMM/aALcYRpqhPfMtD/TSQ=
X-Received: by 2002:ab0:108:: with SMTP id 8mr1824118uak.25.1599148789673;
 Thu, 03 Sep 2020 08:59:49 -0700 (PDT)
MIME-Version: 1.0
References: <20200901161459.11772-1-sumit.semwal@linaro.org>
 <20200901161459.11772-4-sumit.semwal@linaro.org> <20200903132537.mp5e6o6ptgbkghxe@box>
 <20200903134340.GA14765@casper.infradead.org> <20200903135806.ceoivs5pzlchg6uj@black.fi.intel.com>
In-Reply-To: <20200903135806.ceoivs5pzlchg6uj@black.fi.intel.com>
From: Colin Cross <ccross@google.com>
Date: Thu, 3 Sep 2020 08:59:38 -0700
Message-ID: <CAMbhsRSxKd-tj2q4a1eDfavdPyKBDCKG_F4x55zYKBUceu_ruA@mail.gmail.com>
Subject: Re: [PATCH v7 3/3] mm: add a field to store names for private
 anonymous memory
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <willy@infradead.org>, "Kirill A. Shutemov" <kirill@shutemov.name>, 
	Sumit Semwal <sumit.semwal@linaro.org>, Andrew Morton <akpm@linux-foundation.org>, 
	Linux-MM <linux-mm@kvack.org>, lkml <linux-kernel@vger.kernel.org>, 
	Alexey Dobriyan <adobriyan@gmail.com>, Jonathan Corbet <corbet@lwn.net>, 
	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Kees Cook <keescook@chromium.org>, 
	Michal Hocko <mhocko@suse.com>, Alexey Gladkov <gladkov.alexey@gmail.com>, 
	Jason Gunthorpe <jgg@ziepe.ca>, Michel Lespinasse <walken@google.com>, =?UTF-8?Q?Michal_Koutn=C3=BD?= <mkoutny@suse.com>, 
	Song Liu <songliubraving@fb.com>, Huang Ying <ying.huang@intel.com>, 
	Vlastimil Babka <vbabka@suse.cz>, Yang Shi <yang.shi@linux.alibaba.com>, 
	chenqiwu <chenqiwu@xiaomi.com>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, 
	John Hubbard <jhubbard@nvidia.com>, Mike Christie <mchristi@redhat.com>, 
	Bart Van Assche <bvanassche@acm.org>, Amit Pundir <amit.pundir@linaro.org>, 
	Thomas Gleixner <tglx@linutronix.de>, Christian Brauner <christian.brauner@ubuntu.com>, 
	Daniel Jordan <daniel.m.jordan@oracle.com>, Adrian Reber <areber@redhat.com>, 
	Nicolas Viennot <Nicolas.Viennot@twosigma.com>, Al Viro <viro@zeniv.linux.org.uk>, 
	linux-fsdevel@vger.kernel.org, John Stultz <john.stultz@linaro.org>, 
	Pekka Enberg <penberg@kernel.org>, Dave Hansen <dave.hansen@intel.com>, 
	Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@kernel.org>, Oleg Nesterov <oleg@redhat.com>, 
	"Eric W. Biederman" <ebiederm@xmission.com>, Jan Glauber <jan.glauber@gmail.com>, 
	Rob Landley <rob@landley.net>, Cyrill Gorcunov <gorcunov@openvz.org>, 
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>, David Rientjes <rientjes@google.com>, 
	Hugh Dickins <hughd@google.com>, Rik van Riel <riel@redhat.com>, Mel Gorman <mgorman@suse.de>, 
	Tang Chen <tangchen@cn.fujitsu.com>, Robin Holt <holt@sgi.com>, Shaohua Li <shli@fusionio.com>, 
	Sasha Levin <sasha.levin@oracle.com>, Johannes Weiner <hannes@cmpxchg.org>, 
	Minchan Kim <minchan@kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 87F931803F9B1
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam03
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Sep 3, 2020 at 6:58 AM Kirill A. Shutemov
<kirill.shutemov@linux.intel.com> wrote:
>
> On Thu, Sep 03, 2020 at 02:43:40PM +0100, Matthew Wilcox wrote:
> > On Thu, Sep 03, 2020 at 04:25:37PM +0300, Kirill A. Shutemov wrote:
> > > IIUC, it gives userspace direct control of content of /proc/$PID/maps and
> > > /proc/$PID/smaps. There's no verification of the given string whatsoever.
> > > I'm sure security experts would find clever usage of the feature :P
> >
> > What, you think that naming a VMA
> > "\n55bc3e0f9000-55bc3e0fb000 r--p 00000000 fd:01 16777285                   /bin/cat" might cause problems?

The data is wrapped inside "[anon: ]", which limits the ability to
masquerade as a real file.

> Something that would cause buffer overrun or out-of-bound access in a
> privilaged parser can be even more interesting. :)

This is the same as /proc/pid/cmdline, which has no sanitization.
It's also limited to 255 bytes, which should hopefully limit the
opportunity for a buffer overrun.

> > Would it be enough to restrict the characters to isalnum()?
>
> I guess.
>
> But current design stores userspace pointer and there's time-of-check vs.
> time-of-use problem.

It copies from userspace into a kernel buffer at read time, any
desired sanitization could easily be added there.

> --
>  Kirill A. Shutemov
>