From: Kees Cook <keescook@chromium.org>
To: Colin Cross <ccross@google.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
"Matthew Wilcox" <willy@infradead.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
lkml <linux-kernel@vger.kernel.org>,
"Alexey Dobriyan" <adobriyan@gmail.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
"Michal Hocko" <mhocko@suse.com>,
"Alexey Gladkov" <gladkov.alexey@gmail.com>,
"Jason Gunthorpe" <jgg@ziepe.ca>,
"Michel Lespinasse" <walken@google.com>,
"Michal Koutný" <mkoutny@suse.com>,
"Song Liu" <songliubraving@fb.com>,
"Huang Ying" <ying.huang@intel.com>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Yang Shi" <yang.shi@linux.alibaba.com>,
chenqiwu <chenqiwu@xiaomi.com>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"John Hubbard" <jhubbard@nvidia.com>,
"Mike Christie" <mchristi@redhat.com>,
"Bart Van Assche" <bvanassche@acm.org>,
"Amit Pundir" <amit.pundir@linaro.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Christian Brauner" <christian.brauner@ubuntu.com>,
"Daniel Jordan" <daniel.m.jordan@oracle.com>,
"Adrian Reber" <areber@redhat.com>,
"Nicolas Viennot" <Nicolas.Viennot@twosigma.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
"John Stultz" <john.stultz@linaro.org>,
"Pekka Enberg" <penberg@kernel.org>,
"Dave Hansen" <dave.hansen@intel.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Jan Glauber" <jan.glauber@gmail.com>,
"Rob Landley" <rob@landley.net>,
"Cyrill Gorcunov" <gorcunov@openvz.org>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
"David Rientjes" <rientjes@google.com>,
"Hugh Dickins" <hughd@google.com>,
"Rik van Riel" <riel@redhat.com>, "Mel Gorman" <mgorman@suse.de>,
"Tang Chen" <tangchen@cn.fujitsu.com>,
"Robin Holt" <holt@sgi.com>, "Shaohua Li" <shli@fusionio.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Minchan Kim" <minchan@kernel.org>
Subject: Re: [PATCH v7 3/3] mm: add a field to store names for private anonymous memory
Date: Thu, 3 Sep 2020 10:31:08 -0700 [thread overview]
Message-ID: <202009031022.3834F692@keescook> (raw)
In-Reply-To: <CAMbhsRSxKd-tj2q4a1eDfavdPyKBDCKG_F4x55zYKBUceu_ruA@mail.gmail.com>
On Thu, Sep 03, 2020 at 08:59:38AM -0700, Colin Cross wrote:
> On Thu, Sep 3, 2020 at 6:58 AM Kirill A. Shutemov
> <kirill.shutemov@linux.intel.com> wrote:
> >
> > On Thu, Sep 03, 2020 at 02:43:40PM +0100, Matthew Wilcox wrote:
> > > On Thu, Sep 03, 2020 at 04:25:37PM +0300, Kirill A. Shutemov wrote:
> > > > IIUC, it gives userspace direct control of content of /proc/$PID/maps and
> > > > /proc/$PID/smaps. There's no verification of the given string whatsoever.
> > > > I'm sure security experts would find clever usage of the feature :P
> > >
> > > What, you think that naming a VMA
> > > "\n55bc3e0f9000-55bc3e0fb000 r--p 00000000 fd:01 16777285 /bin/cat" might cause problems?
>
> The data is wrapped inside "[anon: ]", which limits the ability to
> masquerade as a real file.
That's true, but it's insufficient to avoid spoofing parsers (e.g. if I
set my name to "hiding]\nfake-maps-line-here [anon: evil"
> > Something that would cause buffer overrun or out-of-bound access in a
> > privilaged parser can be even more interesting. :)
>
> This is the same as /proc/pid/cmdline, which has no sanitization.
> It's also limited to 255 bytes, which should hopefully limit the
> opportunity for a buffer overrun.
/proc/$pid/cmdline contains a "single item", in the sense that the
entire field is contained. Confusing parsers is certainly still
possible, but the bounds for it are distinct in that there is nothing
else in that file.
The better analogy is with /proc/$pid/status, which is multi-line like
maps, and *does* perform escaping, e.g.:
$ cat sneaky.c
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
char * const args[] = {
"four\nfive\nsix",
NULL,
};
return execv("./one\ntwo\nthree", args);
}
$ head -n1 /proc/$pid/status
Name: one\ntwo\nthree
$ cat /proc/$pid/cmdline
four
five
six
> > > Would it be enough to restrict the characters to isalnum()?
> >
> > I guess.
> >
> > But current design stores userspace pointer and there's time-of-check vs.
> > time-of-use problem.
>
> It copies from userspace into a kernel buffer at read time, any
> desired sanitization could easily be added there.
I would prefer having strict validation of the input over escaping the
output, so to that end how about making close to "variable name" sane:
[-\.a-zA-Z0-9_ ] ?
if it should be wider than that, how about printable minus \n \r \f \v [ ] ?
--
Kees Cook
next prev parent reply other threads:[~2020-09-03 17:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-01 16:14 [PATCH v7 0/3] Anonymous VMA naming patches Sumit Semwal
2020-09-01 16:14 ` [PATCH v7 1/3] mm: rearrange madvise code to allow for reuse Sumit Semwal
2020-09-01 16:14 ` [PATCH v7 2/3] mm: memory: Add access_remote_vm_locked variant Sumit Semwal
2020-09-01 16:14 ` [PATCH v7 3/3] mm: add a field to store names for private anonymous memory Sumit Semwal
2020-09-03 13:25 ` Kirill A. Shutemov
2020-09-03 13:43 ` Matthew Wilcox
2020-09-03 13:58 ` Kirill A. Shutemov
2020-09-03 15:59 ` Colin Cross
2020-09-03 17:31 ` Kees Cook [this message]
2020-09-03 17:54 ` Colin Cross
2020-09-03 18:00 ` Dave Hansen
2020-09-03 18:00 ` Kees Cook
2020-09-03 18:09 ` Dave Hansen
2020-09-03 18:26 ` Colin Cross
2020-09-03 18:40 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202009031022.3834F692@keescook \
--to=keescook@chromium.org \
--cc=Nicolas.Viennot@twosigma.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=amit.pundir@linaro.org \
--cc=areber@redhat.com \
--cc=bvanassche@acm.org \
--cc=ccross@google.com \
--cc=chenqiwu@xiaomi.com \
--cc=christian.brauner@ubuntu.com \
--cc=corbet@lwn.net \
--cc=daniel.m.jordan@oracle.com \
--cc=dave.hansen@intel.com \
--cc=ebiederm@xmission.com \
--cc=gladkov.alexey@gmail.com \
--cc=gorcunov@openvz.org \
--cc=hannes@cmpxchg.org \
--cc=holt@sgi.com \
--cc=hughd@google.com \
--cc=jan.glauber@gmail.com \
--cc=jgg@ziepe.ca \
--cc=jhubbard@nvidia.com \
--cc=john.stultz@linaro.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mchehab+huawei@kernel.org \
--cc=mchristi@redhat.com \
--cc=mgorman@suse.de \
--cc=mhocko@suse.com \
--cc=minchan@kernel.org \
--cc=mingo@kernel.org \
--cc=mkoutny@suse.com \
--cc=oleg@redhat.com \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=rob@landley.net \
--cc=sasha.levin@oracle.com \
--cc=serge.hallyn@ubuntu.com \
--cc=shli@fusionio.com \
--cc=songliubraving@fb.com \
--cc=sumit.semwal@linaro.org \
--cc=tangchen@cn.fujitsu.com \
--cc=tglx@linutronix.de \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=walken@google.com \
--cc=willy@infradead.org \
--cc=yang.shi@linux.alibaba.com \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).