From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7400C2BA83 for ; Thu, 13 Feb 2020 14:09:28 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8676B218AC for ; Thu, 13 Feb 2020 14:09:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="JMV5ecx9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8676B218AC Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 335726B054B; Thu, 13 Feb 2020 09:09:28 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2E6276B054D; Thu, 13 Feb 2020 09:09:28 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1FAB16B054E; Thu, 13 Feb 2020 09:09:28 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0217.hostedemail.com [216.40.44.217]) by kanga.kvack.org (Postfix) with ESMTP id 067F56B054B for ; Thu, 13 Feb 2020 09:09:28 -0500 (EST) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 969CF10FB4 for ; Thu, 13 Feb 2020 14:09:27 +0000 (UTC) X-FDA: 76485286374.27.prose28_8cb4f99774019 X-HE-Tag: prose28_8cb4f99774019 X-Filterd-Recvd-Size: 4804 Received: from mail-ot1-f66.google.com (mail-ot1-f66.google.com [209.85.210.66]) by imf36.hostedemail.com (Postfix) with ESMTP for ; Thu, 13 Feb 2020 14:09:26 +0000 (UTC) Received: by mail-ot1-f66.google.com with SMTP id d3so5679941otp.4 for ; Thu, 13 Feb 2020 06:09:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4nw33WMxyw6QKvLrJuL4ZGQuHIvhtKY96hrtTChK5+k=; b=JMV5ecx9htpNi/FbHm837TWxQQnIS6MVyND+7+89vN4DdcJcTh4Gh4bRtl65ipvEjN EEHs4NTVx7M4oasK/DXdft+jw/aFsnnd0U95KdIgaWn6KiJkQMEl1dva2kskv2Q7A7ZF GK1/tnTUCRzZ/HxVdt6Xr7GAuMCUM299X8jjMXD2V6dOwV5W1/zk2CbvKlxK2fy7jQ2u FBok0zxVLa/eP6cevo1zALXoniqhlQwS3zBWhvsGPSVsSlbiBEk/JZYamujGtpRl0/E5 TFh3Ndm7Ude+Y5TPcbUAN+tW/kabbK0oyXMXeJLp5BzmsfDmB7mqHVuPb2VH1uJiHu+0 pJ0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4nw33WMxyw6QKvLrJuL4ZGQuHIvhtKY96hrtTChK5+k=; b=AfrWJPxT2Vo/vynxFBjIsCHcRdP+vNjI9YMv8Ks9ONMP/5wwvj8NQq7t342YV1TBqs HQszGXKQf64KxJpd1m0dx+YERBJjY3p+EOOieq92sGcpSWNzN7GGqDL2HEFVib920V81 V8XdVk2dE8iI7r2DCCu+jt09VDLJAqSCJXLgW4Lf0mSpwja+YTzSuGLbKH+VTxLGFqxy ZU6QO5eRa51eIkmX3tROactMYtoYuEy+d2xfF3V3M0bK3VhXq0vmJ5ja9I78sY0Wb0m7 qNs7u7C5pLuQbQbra1kr1ghqBE/1XCN0qBoCEC7CQlgvnfNpkUTVhLVBWIgDHDu8IF9p AU0A== X-Gm-Message-State: APjAAAU5McxZIAo85TmA2p3Y6INo7ZZcJiWGtPu7RomEhWHMnPPj4lXv vcLVz0mhzdnY2Nx1/MON4vri/ZK69QzOGHq+Fc2nhQ== X-Google-Smtp-Source: APXvYqzs69ilwTt7mpNYz5FifCXRctI+mL576v4dQGuxV30QGmONxcX//NJyceEQjiY2JgsqWK+0BKXq9WztgI5XJac= X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr13199499oti.32.1581602965935; Thu, 13 Feb 2020 06:09:25 -0800 (PST) MIME-Version: 1.0 References: <20200212233946.246210-1-minchan@kernel.org> <20200212233946.246210-3-minchan@kernel.org> In-Reply-To: <20200212233946.246210-3-minchan@kernel.org> From: Jann Horn Date: Thu, 13 Feb 2020 15:08:59 +0100 Message-ID: Subject: Re: [PATCH v4 2/8] mm: introduce external memory hinting API To: Minchan Kim Cc: Andrew Morton , LKML , linux-mm , Linux API , Oleksandr Natalenko , Suren Baghdasaryan , Tim Murray , Daniel Colascione , Sandeep Patil , Sonny Rao , Brian Geffon , Michal Hocko , Johannes Weiner , Shakeel Butt , John Dias , Joel Fernandes , Alexander Duyck Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Feb 13, 2020 at 12:40 AM Minchan Kim wrote: > To solve the issue, this patch introduces a new syscall process_madvise(2). > It uses pidfd of an external process to give the hint. [...] > + mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS); > + if (IS_ERR_OR_NULL(mm)) { > + ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH; > + goto release_task; > + } > + > + ret = do_madvise(task, start, len_in, behavior); When you're accessing another task, you should ensure that the other task doesn't gain new privileges by executing a setuid binary in the middle of being accessed. mm_access() does that for you; it holds the ->cred_guard_mutex while it is looking up the task's ->mm and doing the security check. mm_access() then returns you an mm pointer that you're allowed to access without worrying about such things; an mm_struct never gains privileges, since a setuid execution creates a fresh mm_struct. However, the task may still execute setuid binaries and such things. This means that after you've looked up the mm with mm_access(), you have to actually *use* that pointer. You're not allowed to simply read task->mm yourself. Therefore, I think you should: - change patch 1/8 ("mm: pass task to do_madvise") to also pass an mm_struct* to do_madvise (but keep the task_struct* for patch 4/8) - in this patch, pass the mm_struct* from mm_access() into do_madvise() - drop patch 3/8 ("mm: validate mm in do_madvise"); it just papers over a symptom without addressing the underlying problem