From: Minchan Kim <minchan@kernel.org>
To: akpm@linux-foundation.org, torvalds@linux-foundation.org
Cc: LKML <linux-kernel@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>,
jannh@google.com, mhocko@suse.com, shakeelb@google.com,
surenb@google.com, christian@brauner.io, rientjes@google.com,
bgeffon@google.com, vbabka@suse.cz,
Minchan Kim <minchan@kernel.org>,
security@kernel.org
Subject: [PATCH] mm/madvise: remove racy mm ownership check
Date: Tue, 8 Dec 2020 19:21:55 -0800 [thread overview]
Message-ID: <20201209032155.564991-1-minchan@kernel.org> (raw)
Jann spotted the security hole due to race of mm ownership check.
If the task is sharing the mm_struct but goes through execve()
before mm_access(), it could skip process_madvise_behavior_valid
check. That makes *any advice hint* to reach into the remote process.
This patch removes the mm ownership check. With it, it will lose
the ability that local process could give *any* advice hint with
vector interface for some reason(e.g., performance).
Since there is no concrete example in upstream yet, it would be
better to remove the abiliity at this moment and need to review
when such new advice comes up.
Cc: security@kernel.org
Fixes: ecb8ac8b1f14 ("mm/madvise: introduce process_madvise() syscall: an external memory hinting API")
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
---
mm/madvise.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/mm/madvise.c b/mm/madvise.c
index a8d8d48a57fe..13f5677b9322 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1204,8 +1204,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
goto put_pid;
}
- if (task->mm != current->mm &&
- !process_madvise_behavior_valid(behavior)) {
+ if (!process_madvise_behavior_valid(behavior)) {
ret = -EINVAL;
goto release_task;
}
--
2.29.2.576.ga3fc446d84-goog
next reply other threads:[~2020-12-09 3:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 3:21 Minchan Kim [this message]
2020-12-09 4:58 ` [PATCH] mm/madvise: remove racy mm ownership check Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209032155.564991-1-minchan@kernel.org \
--to=minchan@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=bgeffon@google.com \
--cc=christian@brauner.io \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=rientjes@google.com \
--cc=security@kernel.org \
--cc=shakeelb@google.com \
--cc=surenb@google.com \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).