Received: by 10.192.165.148 with SMTP id m20csp4041495imm;
        Mon, 30 Apr 2018 10:37:54 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoRJhcXlzJWolYzsVm7qSta55Zw+crpm8YO6pQKXaFh0IjPFYE0KQBK7dfyHCGDc3hVxOqe
X-Received: by 2002:a63:43c6:: with SMTP id q189-v6mr11012883pga.123.1525109874801;
        Mon, 30 Apr 2018 10:37:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525109874; cv=none;
        d=google.com; s=arc-20160816;
        b=VgTdWwKdLoa60IZN5NyN9cbFlgRzIjCYJi307W3u4a0AuNP2d2vEJEAzzk5OKY0L1o
         qwXPQLIeku0Sicc+Sn2rE+OXNpmAh8Ryp8D9uTyVkasgkAg8PqLNFbwVOdrCcPvvfcht
         04tfJAKCj2d7zQ90aPHh4ER/ssMxBTY+aZsuU4iKz3jjIHDgUnZhe5eCDZl4cwiFpHTw
         8UIRkI5u6g55ADLW+pvK8ziDJV9rI2jzKQrEFzZyPdiReW2WwbaCoGIjssbzUPZrvGrW
         EBvEIVAABUy7CHRF7FUy0P8H1ieYy0w6T6mfleW5XyjoejLMPYu8SDyMhPEx99eq9FWy
         fwcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:arc-authentication-results;
        bh=g6vNaLCDp8yDvDyyqgSMnG2tHvhw5JlK02qu8tRsDQc=;
        b=GMDu4znK25Brl74d0lnbq9EzuD+asO+c4PHgf8YL5jv1C8PuxuU2YxmSg5FAvkZnfS
         pQUueeqKdJEygCv+J+kpIntrNrq8SWWlwb1LpzrjzvrkaXgS+2FuxeTw2xsIr0b+PIgH
         jYVW9XLcfedHm/K93AT1pS0uahYXsNxCgm10r5naQmBnt52hRImN1TkMDBcFV5YfnR4Q
         xlEkmLSOfxV5wKheHaGnpE82bAAFAHefz8AnFay4OMlyMzri5kSho6tfo/SzrdPw5kXs
         SDn7Ma6J1YCXfvHxJxeFwZojby2phcC7g0IyDTIZkE0bXQk2/8F/Odfg+4Tu9nx9w/K6
         PHRA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e68-v6si7650634plb.566.2018.04.30.10.37.40;
        Mon, 30 Apr 2018 10:37:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753608AbeD3RgT (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 30 Apr 2018 13:36:19 -0400
Received: from mx2.suse.de ([195.135.220.15]:56298 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752430AbeD3RgR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Apr 2018 13:36:17 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 437F2AD7C;
        Mon, 30 Apr 2018 17:36:16 +0000 (UTC)
Date:   Mon, 30 Apr 2018 10:21:52 -0700
From:   Davidlohr Bueso <dave@stgolabs.net>
To:     Andrea Arcangeli <aarcange@redhat.com>
Cc:     Joe Lawrence <joe.lawrence@redhat.com>, akpm@linux-foundation.org,
        gareth.evans@contextis.co.uk,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        linux-mm@kvack.org
Subject: Re: Questions about commit "ipc/shm: Fix shmat mmap nil-page
 protection"
Message-ID: <20180430172152.nfa564pvgpk3ut7p@linux-n805>
Mail-Followup-To: Andrea Arcangeli <aarcange@redhat.com>,
        Joe Lawrence <joe.lawrence@redhat.com>, akpm@linux-foundation.org,
        gareth.evans@contextis.co.uk,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        linux-mm@kvack.org
References: <472dbcaa-47b5-7a1b-7c4a-49373db784d3@redhat.com>
 <20170925214438.GU31084@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20170925214438.GU31084@redhat.com>
User-Agent: NeoMutt/20170421 (1.8.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 25 Sep 2017, Andrea Arcangeli wrote:

Sorry this took so long guys. I had forgotten about this until it recently
resurfaced.

>Hello,
>
>On Mon, Sep 25, 2017 at 03:38:07PM -0400, Joe Lawrence wrote:
>> Hi Davidlohr,
>>
>> I was looking into backporting commit 95e91b831f87 ("ipc/shm: Fix shmat
>> mmap nil-page protection") to a distro kernel and Andrea brought up some
>> interesting questions about that change.
>>
>> We saw that a LTP test [1] was added some time ago to reproduce behavior
>> matching that of the original report [2].  However, Andrea and I are a
>> little confused about that original report and what the upstream commit
>> was intended to fix.  A quick summary of our offlist discussion:
>>
>> - This is only about privileged users (and no SELinux).
>>
>> - We modified the 20170119_shmat_nullpage_poc.c reproducer from [2] to
>>   include MAP_FIXED to prove (as root, no SELinux):
>>
>>     It is possible to mmap 0
>>     It is NOT possible to mmap 1
>>
>> - Andrea points out that mmap(1, ...) fails not because of any
>>   mmap_min_addr checks, but for alignment reasons.
>>
>> - He also wonders about other bogus addr values above 4k, but below
>>   mmap_min_addr and whether this change misses those values
>
>Yes, thanks for the accurate summary Joe.
>
>> Is it possible that the original report noticed that shmat allowed
>> attach to an address of 1, and it was assumed that somehow mmap_min_addr
>> protections were circumvented?  Then commit 95e91b831f87 modified the
>> rounding in do_shmat() so that shmat would fail on similar input (but
>> for apparently different reasons)?
>>
>> I didn't see any discussion when looking up the original commit in the
>> list archives, so any explanations or pointers would be very helpful.
>
>We identified only one positive side effect to such change, it is
>about the semantics of SHM_REMAP when addr < shmlba (and != 0). Before
>the patch SHM_REMAP was erroneously implicit for that virtual
>range. However that's not security related either, and there's no
>mention of SHM_REMAP in the commit message.

Coincidence. I didn't notice the SHM_REMAP, but after looking at it
you appear to be right. I'll send a patch along with the revert
(see below).

>
>So then we wondered what this CVE is about in the first place, it
>looks a invalid CVE for a not existent security issue. The testcase at
>least shows no malfunction, mapping addr 0 is fine to succeed with
>CAP_SYS_RAWIO.

This is exactly the issue. I thought mapping addr=0 with MAP_FIXED
was an issue, including for root. Hence avoiding the round off from
1 to 0. If this is legal, then this commit needs reverted.

In fact, X11[1] seems to rely on this _exact_ case; and this change
breaks semantics.

>
>From the commit message, testcase and CVE I couldn't get what this
>commit is about.
>
>Last but not the least, if there was a security problem in calling
>do_mmap_pgoff with addr=0, flags=MAP_FIXED|MAP_SHARED the fix would
>better be moved to do_mmap_pgoff, not in ipc/shm.c.

Yeah at the time, akpm and I wondered why this was special to security.

[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347

Thanks,
Davidlohr