From: Miklos Szeredi <miklos@szeredi.hu>
To: Chengguang Xu <cgxu519@mykernel.net>
Cc: linux-unionfs <linux-unionfs@vger.kernel.org>
Subject: Re: [PATCH] ovl: check VM_DENYWRITE mappings in copy-up
Date: Tue, 13 Apr 2021 10:47:53 +0200 [thread overview]
Message-ID: <CAJfpegsKHRY=AxQMECwXNh2Rni_Ah0uo939aEfhRcQB3Rz-AGQ@mail.gmail.com> (raw)
In-Reply-To: <178c943b8b6.cd81e26521858.1415503984601701317@mykernel.net>
On Tue, Apr 13, 2021 at 5:26 AM Chengguang Xu <cgxu519@mykernel.net> wrote:
>
> ---- 在 星期四, 2021-04-08 23:03:39 Miklos Szeredi <miklos@szeredi.hu> 撰写 ----
> > On Thu, Apr 8, 2021 at 1:40 PM Chengguang Xu <cgxu519@mykernel.net> wrote:
> > >
> > > ---- 在 星期四, 2021-04-08 19:29:55 Miklos Szeredi <miklos@szeredi.hu> 撰写 ----
> > > > On Thu, Apr 8, 2021 at 1:28 PM Chengguang Xu <cgxu519@mykernel.net> wrote:
> > > > >
> > > > > ---- 在 星期四, 2021-04-08 19:20:42 Chengguang Xu <cgxu519@mykernel.net> 撰写 ----
> > > > > > In overlayfs copy-up, if open flag has O_TRUNC then upper
> > > > > > file will truncate to zero size, in this case we should check
> > > > > > VM_DENYWRITE mappings to keep compatibility with other filesystems.
> > > >
> > > > Can you provide a test case for the bug that this is fixing?
> > > >
> > >
> > > Execute binary file(keep running until open) in overlayfs which only has lower && open the binary file with flag O_RDWR|O_TRUNC
> > >
> > > Expected result: open fail with -ETXTBSY
> > >
> > > Actual result: open success
> >
> > Worse, it's possible to get a "Bus error" with just execute and write
> > on an overlayfs file, which i_writecount is supposed to protect.
> >
> > The reason is that the put_write_access() call in __vma_link_file()
> > assumes an already negative writecount, but because of the vm_file
> > shuffle in ovl_mmap() that's not guaranteed. There's even a comment
> > about exactly this situation in mmap():
> >
> > /* ->mmap() can change vma->vm_file, but must guarantee that
> > * vma_link() below can deny write-access if VM_DENYWRITE is set
> > * and map writably if VM_SHARED is set. This usually means the
> > * new file must not have been exposed to user-space, yet.
> > */
> >
> > The attached patch fixes this, but not your original bug.
> >
> > That could be addressed by checking the writecount on *both* lower and
> > upper for open for write/truncate. Note: this could be checked before
> > copy-up, but that's not reliable alone, because the copy up could
> > happen due to meta-data update, for example, and then the
> > open/truncate wouldn't trigger the writecount check.
> >
> > Something like the second attached patch?
> >
>
> Yeah, I noticed that too just after posted my previous patch.
> However, rethink these two cases, in practice we share lower layers
> in most use cases especially in container use case. So if we check
> VM_DENYWRITE of lower file strictly, it may cause interferes between
> container instances. Maybe only checking upper file will be better
> option?
Yes.
My patch to fix the SIGBUS is also incomplete as there's still a race
window between releasing the temporary writecount and the __vma_link()
that acquires the final count. This requires major surgery to fix
properly :(
Thanks,
Miklos
next prev parent reply other threads:[~2021-04-13 8:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-08 11:20 [PATCH] ovl: check VM_DENYWRITE mappings in copy-up Chengguang Xu
2021-04-08 11:28 ` 回复:[PATCH] " Chengguang Xu
2021-04-08 11:29 ` [PATCH] " Miklos Szeredi
2021-04-08 11:40 ` Chengguang Xu
2021-04-08 15:03 ` Miklos Szeredi
2021-04-13 3:26 ` Chengguang Xu
2021-04-13 8:47 ` Miklos Szeredi [this message]
2021-04-20 11:14 ` Chengguang Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfpegsKHRY=AxQMECwXNh2Rni_Ah0uo939aEfhRcQB3Rz-AGQ@mail.gmail.com' \
--to=miklos@szeredi.hu \
--cc=cgxu519@mykernel.net \
--cc=linux-unionfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).