LKML Archive on lore.kernel.org
 help / Atom feed
* [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page
@ 2018-05-03 20:32 Davidlohr Bueso
  2018-05-03 20:32 ` [PATCH 1/2] Revert "ipc/shm: Fix shmat mmap nil-page protection" Davidlohr Bueso
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Davidlohr Bueso @ 2018-05-03 20:32 UTC (permalink / raw)
  To: akpm, aarcange
  Cc: joe.lawrence, gareth.evans, linux-kernel, linux-mm, dave, stable

Hi,

These patches fix two issues reported[1] a while back by Joe and Andrea
around how shmat(2) behaves with nil-page.

The first reverts a commit that it was incorrectly thought that mapping
nil-page (address=0) was a no no with MAP_FIXED. This is not the case,
with the exception of SHM_REMAP; which is address in the second patch.

I chose two patches because it is easier to backport and it explicitly
reverts bogus behaviour. Both patches ought to be in -stable and ltp
testcases need updated (the added testcase around the cve can be modified
to just test for SHM_RND|SHM_REMAP).

[1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805

Thanks! 

Davidlohr Bueso (2):
  Revert "ipc/shm: Fix shmat mmap nil-page protection"
  ipc/shm: fix shmat() nil address after round-down when remapping

 ipc/shm.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

-- 
2.13.6

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] Revert "ipc/shm: Fix shmat mmap nil-page protection"
  2018-05-03 20:32 [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Davidlohr Bueso
@ 2018-05-03 20:32 ` Davidlohr Bueso
  2018-05-03 20:49 ` [PATCH 2/2] ipc/shm: fix shmat() nil address after round-down when remapping Davidlohr Bueso
  2018-05-10 18:17 ` [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Vlastimil Babka
  2 siblings, 0 replies; 5+ messages in thread
From: Davidlohr Bueso @ 2018-05-03 20:32 UTC (permalink / raw)
  To: akpm, aarcange
  Cc: joe.lawrence, gareth.evans, linux-kernel, linux-mm, dave, stable,
	Davidlohr Bueso

95e91b831f87 (ipc/shm: Fix shmat mmap nil-page protection) worked on
the idea that we should not be mapping as root addr=0 and MAP_FIXED.
However, it was reported that this scenario is in fact valid, thus
making the patch both bogus and breaks userspace as well. For example
X11's libint10.so relies on shmat(1, SHM_RND) for lowmem initialization[1].

[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347

Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 ipc/shm.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index 0075990338f4..b81d53c8f459 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1371,13 +1371,8 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
 
 	if (addr) {
 		if (addr & (shmlba - 1)) {
-			/*
-			 * Round down to the nearest multiple of shmlba.
-			 * For sane do_mmap_pgoff() parameters, avoid
-			 * round downs that trigger nil-page and MAP_FIXED.
-			 */
-			if ((shmflg & SHM_RND) && addr >= shmlba)
-				addr &= ~(shmlba - 1);
+			if (shmflg & SHM_RND)
+				addr &= ~(shmlba - 1);  /* round down */
 			else
 #ifndef __ARCH_FORCE_SHMLBA
 				if (addr & ~PAGE_MASK)
-- 
2.13.6

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 2/2] ipc/shm: fix shmat() nil address after round-down when remapping
  2018-05-03 20:32 [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Davidlohr Bueso
  2018-05-03 20:32 ` [PATCH 1/2] Revert "ipc/shm: Fix shmat mmap nil-page protection" Davidlohr Bueso
@ 2018-05-03 20:49 ` Davidlohr Bueso
  2018-05-10 18:17 ` [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Vlastimil Babka
  2 siblings, 0 replies; 5+ messages in thread
From: Davidlohr Bueso @ 2018-05-03 20:49 UTC (permalink / raw)
  To: akpm, aarcange
  Cc: joe.lawrence, gareth.evans, linux-kernel, linux-mm, stable, dave

shmat()'s SHM_REMAP option forbids passing a nil address for; this
is in fact the very first thing we check for. Andrea reported that
for SHM_RND|SHM_REMAP cases we can end up bypassing the initial
addr check, but we need to check again if the address was rounded
down to nil. As of this patch, such cases will return -EINVAL.

Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 ipc/shm.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index b81d53c8f459..29978ee76c2e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1371,9 +1371,17 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
 
 	if (addr) {
 		if (addr & (shmlba - 1)) {
-			if (shmflg & SHM_RND)
+			if (shmflg & SHM_RND) {
 				addr &= ~(shmlba - 1);  /* round down */
-			else
+
+				/*
+				 * Ensure that the round-down is non-nil
+				 * when remapping. This can happen for
+				 * cases when addr < shmlba.
+				 */
+				if (!addr && (shmflg & SHM_REMAP))
+					goto out;
+			} else
 #ifndef __ARCH_FORCE_SHMLBA
 				if (addr & ~PAGE_MASK)
 #endif
-- 
2.13.6

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page
  2018-05-03 20:32 [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Davidlohr Bueso
  2018-05-03 20:32 ` [PATCH 1/2] Revert "ipc/shm: Fix shmat mmap nil-page protection" Davidlohr Bueso
  2018-05-03 20:49 ` [PATCH 2/2] ipc/shm: fix shmat() nil address after round-down when remapping Davidlohr Bueso
@ 2018-05-10 18:17 ` Vlastimil Babka
  2018-05-14 16:19   ` Davidlohr Bueso
  2 siblings, 1 reply; 5+ messages in thread
From: Vlastimil Babka @ 2018-05-10 18:17 UTC (permalink / raw)
  To: Davidlohr Bueso, akpm, aarcange
  Cc: joe.lawrence, gareth.evans, linux-kernel, linux-mm, stable, ltp

On 05/03/2018 10:32 PM, Davidlohr Bueso wrote:
> Hi,
> 
> These patches fix two issues reported[1] a while back by Joe and Andrea
> around how shmat(2) behaves with nil-page.
> 
> The first reverts a commit that it was incorrectly thought that mapping
> nil-page (address=0) was a no no with MAP_FIXED. This is not the case,
> with the exception of SHM_REMAP; which is address in the second patch.

Can you add appropriate Fixes: tags if possible? I guess patch 1 is
clear, dunno about patch 2...

> I chose two patches because it is easier to backport and it explicitly
> reverts bogus behaviour. Both patches ought to be in -stable and ltp
> testcases need updated (the added testcase around the cve can be modified
> to just test for SHM_RND|SHM_REMAP).

CC'd ltp so they know :)

Thanks,
Vlastimil

> 
> [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805
> 
> Thanks! 
> 
> Davidlohr Bueso (2):
>   Revert "ipc/shm: Fix shmat mmap nil-page protection"
>   ipc/shm: fix shmat() nil address after round-down when remapping
> 
>  ipc/shm.c | 19 +++++++++++--------
>  1 file changed, 11 insertions(+), 8 deletions(-)
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page
  2018-05-10 18:17 ` [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Vlastimil Babka
@ 2018-05-14 16:19   ` Davidlohr Bueso
  0 siblings, 0 replies; 5+ messages in thread
From: Davidlohr Bueso @ 2018-05-14 16:19 UTC (permalink / raw)
  To: Vlastimil Babka
  Cc: akpm, aarcange, joe.lawrence, gareth.evans, linux-kernel,
	linux-mm, stable, ltp

On Thu, 10 May 2018, Vlastimil Babka wrote:

>Can you add appropriate Fixes: tags if possible? I guess patch 1 is
>clear, dunno about patch 2...

Right, patch 1 would still benefit from Fixes tag. As to patch 2, the bug
as been there since forever (pre-dates git history). But yeah, as both come
together and are related to a certain extent, the same Fixes could serve both
patches.

Thanks,
Davidlohr

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-03 20:32 [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Davidlohr Bueso
2018-05-03 20:32 ` [PATCH 1/2] Revert "ipc/shm: Fix shmat mmap nil-page protection" Davidlohr Bueso
2018-05-03 20:49 ` [PATCH 2/2] ipc/shm: fix shmat() nil address after round-down when remapping Davidlohr Bueso
2018-05-10 18:17 ` [PATCH -next 0/2] ipc/shm: shmat() fixes around nil-page Vlastimil Babka
2018-05-14 16:19   ` Davidlohr Bueso

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox