From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=50Pb=NV=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.2 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1521CC432BE
	for <linux-mm@archiver.kernel.org>; Mon, 30 Aug 2021 08:12:25 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 666BF6101B
	for <linux-mm@archiver.kernel.org>; Mon, 30 Aug 2021 08:12:24 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 666BF6101B
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=rasmusvillemoes.dk
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 997096B006C; Mon, 30 Aug 2021 04:12:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 946FE8D0001; Mon, 30 Aug 2021 04:12:23 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 80E716B0072; Mon, 30 Aug 2021 04:12:23 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0020.hostedemail.com [216.40.44.20])
	by kanga.kvack.org (Postfix) with ESMTP id 733446B006C
	for <linux-mm@kvack.org>; Mon, 30 Aug 2021 04:12:23 -0400 (EDT)
Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 24F68181AF5D7
	for <linux-mm@kvack.org>; Mon, 30 Aug 2021 08:12:23 +0000 (UTC)
X-FDA: 78531029766.22.57A2B6C
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48])
	by imf07.hostedemail.com (Postfix) with ESMTP id BBB8010000A6
	for <linux-mm@kvack.org>; Mon, 30 Aug 2021 08:12:22 +0000 (UTC)
Received: by mail-lf1-f48.google.com with SMTP id b4so29505069lfo.13
        for <linux-mm@kvack.org>; Mon, 30 Aug 2021 01:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rasmusvillemoes.dk; s=google;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=37NPYMAcAJ2zN2cJYUDeD0UMO7gOVKhQ3wSJbKTk4Y4=;
        b=GCDOzcNzVhs4IQ7426ZVN03J0Ko2sEjG9cQEZGeMHf7zHH0uTul5FY+dMxWAJAq77p
         j+8i+7QJbELQPKI4PT+dLeghPh3S68CXIvvm52+XXL80drAEs96e4nX4qMjOTIzgJVC8
         cARoPXDw1opzv8Bt2MuT5eD6UsHeTs6ZLJSBo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=37NPYMAcAJ2zN2cJYUDeD0UMO7gOVKhQ3wSJbKTk4Y4=;
        b=nb8AHp3dAwNd86r8YvCy/UH7U69yOSeNY8k69I7gsmtzJD9NQdnisj+whotp50zP0U
         zh9xyRMWjLOtAGSzulYhmXzK4WzVxNcjXiR/jsRD97pD8fEajsygyPHTGTYl4x+BWFPv
         Hnb1hE1B/CNkra5rTouznAF0qe07/tFp42cmEKHgtf/L9Ij5QBMIzu5Qka4ZxlLgOha2
         JyGYSPI2mflbIKzKPi1pSHTtFANANYOrXN31T1QGRE9Hhr1m1cO4Kit4QCfF+jPlGkvR
         7tFv6NpgmJPkJalkDJTH3pldhtPg+3zb7tou4Pz/22r1F0jXTeDzaPdCyw++gSuyoDkM
         Vj3g==
X-Gm-Message-State: AOAM5315SBqqCBOprvzcdmNEjzxsNCgUQARP6LRk7AxNbOtXl3VrjcCD
	PiFEY85mckefHj2kGCcZ/SuL5w==
X-Google-Smtp-Source: ABdhPJyqK6pQ4ZHjxX58026zqbgeQvpstiUZ8XlEC+qgCUJQtVIYIg6u5NRiRukkzgIJZHyRGY3uhA==
X-Received: by 2002:a05:6512:1686:: with SMTP id bu6mr16774526lfb.168.1630311141001;
        Mon, 30 Aug 2021 01:12:21 -0700 (PDT)
Received: from [172.16.11.1] ([81.216.59.226])
        by smtp.gmail.com with ESMTPSA id e4sm676505lfc.141.2021.08.30.01.12.18
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 30 Aug 2021 01:12:20 -0700 (PDT)
Subject: Re: [PATCH v8 2/3] mm: add a field to store names for private
 anonymous memory
To: Suren Baghdasaryan <surenb@google.com>, Kees Cook <keescook@chromium.org>
Cc: Matthew Wilcox <willy@infradead.org>,
 Andrew Morton <akpm@linux-foundation.org>, Colin Cross <ccross@google.com>,
 Sumit Semwal <sumit.semwal@linaro.org>, Michal Hocko <mhocko@suse.com>,
 Dave Hansen <dave.hansen@intel.com>,
 "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
 Vlastimil Babka <vbabka@suse.cz>, Johannes Weiner <hannes@cmpxchg.org>,
 Jonathan Corbet <corbet@lwn.net>, Al Viro <viro@zeniv.linux.org.uk>,
 Randy Dunlap <rdunlap@infradead.org>, Kalesh Singh <kaleshsingh@google.com>,
 Peter Xu <peterx@redhat.com>, rppt@kernel.org,
 Peter Zijlstra <peterz@infradead.org>,
 Catalin Marinas <catalin.marinas@arm.com>, vincenzo.frascino@arm.com,
 =?UTF-8?B?Q2hpbndlbiBDaGFuZyAo5by16Yym5paHKQ==?=
 <chinwen.chang@mediatek.com>, Axel Rasmussen <axelrasmussen@google.com>,
 Andrea Arcangeli <aarcange@redhat.com>, Jann Horn <jannh@google.com>,
 apopple@nvidia.com, John Hubbard <jhubbard@nvidia.com>,
 Yu Zhao <yuzhao@google.com>, Will Deacon <will@kernel.org>,
 fenghua.yu@intel.com, thunder.leizhen@huawei.com,
 Hugh Dickins <hughd@google.com>, feng.tang@intel.com,
 Jason Gunthorpe <jgg@ziepe.ca>, Roman Gushchin <guro@fb.com>,
 Thomas Gleixner <tglx@linutronix.de>, krisman@collabora.com,
 chris.hyser@oracle.com, Peter Collingbourne <pcc@google.com>,
 "Eric W. Biederman" <ebiederm@xmission.com>, Jens Axboe <axboe@kernel.dk>,
 legion@kernel.org, eb@emlix.com, Muchun Song <songmuchun@bytedance.com>,
 Viresh Kumar <viresh.kumar@linaro.org>, thomascedeno@google.com,
 sashal@kernel.org, cxfcosmos@gmail.com, linux@rasmusvillemoes.dk,
 LKML <linux-kernel@vger.kernel.org>, linux-fsdevel@vger.kernel.org,
 linux-doc@vger.kernel.org, linux-mm <linux-mm@kvack.org>,
 kernel-team <kernel-team@android.com>
References: <20210827191858.2037087-1-surenb@google.com>
 <20210827191858.2037087-3-surenb@google.com>
 <YSmVl+DEPrU6oUR4@casper.infradead.org> <202108272228.7D36F0373@keescook>
 <CAJuCfpEWc+eTLYp_Xf9exMJCO_cFtvBUzi39+WbcSKZBXHe3SQ@mail.gmail.com>
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Message-ID: <f7117620-28ba-cfa5-b2c6-21812f15e4d6@rasmusvillemoes.dk>
Date: Mon, 30 Aug 2021 10:12:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAJuCfpEWc+eTLYp_Xf9exMJCO_cFtvBUzi39+WbcSKZBXHe3SQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=rasmusvillemoes.dk header.s=google header.b=GCDOzcNz;
	spf=pass (imf07.hostedemail.com: domain of linux@rasmusvillemoes.dk designates 209.85.167.48 as permitted sender) smtp.mailfrom=linux@rasmusvillemoes.dk;
	dmarc=none
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: BBB8010000A6
X-Stat-Signature: y16dte9hpta6erb3mia8pds8xrtgrwbm
X-HE-Tag: 1630311142-507516
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 28/08/2021 23.47, Suren Baghdasaryan wrote:
> On Fri, Aug 27, 2021 at 10:52 PM Kees Cook <keescook@chromium.org> wrote:
>>
>>>> +   case PR_SET_VMA_ANON_NAME:
>>>> +           name = strndup_user((const char __user *)arg,
>>>> +                               ANON_VMA_NAME_MAX_LEN);
>>>> +
>>>> +           if (IS_ERR(name))
>>>> +                   return PTR_ERR(name);
>>>> +
>>>> +           for (pch = name; *pch != '\0'; pch++) {
>>>> +                   if (!isprint(*pch)) {
>>>> +                           kfree(name);
>>>> +                           return -EINVAL;
>>>
>>> I think isprint() is too weak a check.  For example, I would suggest
>>> forbidding the following characters: ':', ']', '[', ' '.  Perhaps

Indeed. There's also the issue that the kernel's ctype actually
implements some almost-but-not-quite latin1, so (some) chars above 0x7f
would also pass isprint() - while everybody today expects utf-8, so the
ability to put almost arbitrary sequences of chars with the high bit set
could certainly confuse some parsers. IOW, don't use isprint() at all,
just explicitly check for the byte values that we and up agreeing to
allow/forbid.

>>> isalnum() would be better?  (permit a-zA-Z0-9)  I wouldn't necessarily
>>> be opposed to some punctuation characters, but let's avoid creating
>>> confusion.  Do you happen to know which characters are actually in use
>>> today?
>>
>> There's some sense in refusing [, ], and :, but removing " " seems
>> unhelpful for reasonable descriptors. As long as weird stuff is escaped,
>> I think it's fine. Any parser can just extract with m|\[anon:(.*)\]$|
> 
> I see no issue in forbidding '[' and ']' but whitespace and ':' are
> currently used by Android. Would forbidding or escaping '[' and ']' be
> enough?

how about allowing [0x20, 0x7e] except [0x5b, 0x5d], i.e. all printable
(including space) ascii characters, except [ \ ] - the brackets as
already discussed, and backslash because then there's nobody who can get
confused about whether there's some (and then which?) escaping mechanism
in play - "\n" is simply never going to appear. Simple rules, easy to
implement, easy to explain in a man page.

>>
>> For example, just escape it here instead of refusing to take it. Something
>> like:
>>
>>         name = strndup_user((const char __user *)arg,
>>                             ANON_VMA_NAME_MAX_LEN);
>>         escaped = kasprintf(GFP_KERNEL, "%pE", name);

I would not go down that road. First, it makes it much harder to explain
the rules for what are allowed and not allowed. Second, parsers become
much more complicated. Third, does the length limit then apply to the
escaped or unescaped string?

Rasmus