Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp130503imm; Wed, 30 May 2018 19:38:00 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL9crNvXDsByaqKgWs8j9jwrCBaiuFwXxKba9Y3xxCet2oSQL4pWL9fNoGJTQWYdXb+Nntt X-Received: by 2002:a17:902:2702:: with SMTP id c2-v6mr5069602plb.297.1527734280682; Wed, 30 May 2018 19:38:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527734280; cv=none; d=google.com; s=arc-20160816; b=OxHrWiodxDBu0blom+y97cyKH9I1J/729dh+H0GXkTmuSpjFNLk2NQR5VZ0kuws+zv M+hNn9xXPsghsajz9XLTjvGYBWmN+kj5PuwBC+xw0LoFTW593H1E8CYa0pMt+CM2gL6a N5vyLxrWD1j3bRKoTdqR3GG6xz47UnwMkPwtpAdKnwDu7MbeJgiNl1VFv+cc1/cT0PP4 YBKU7gHEs6/IOZOLGtL0lFbJkcAfIEg1bQDKDnRQQvVJSA6B/q16958TWBx00n7cBfxn F/AVJAHidJ13n+Gk2ESHhAlz5nACurqK3ZD2OFKcL/bwYFz2YoX8yhxZ4pCaeQuXCs8f Jh7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language:thread-index :content-transfer-encoding:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:arc-authentication-results; bh=vk6uGjybTS8T/6CUSq7BS1XGrFsqZnap1bLPUNrU448=; b=pLmI1o+DR+FE1LP4dunz1bLahcg0yOIK2A/e7RsAmGbpKDQ7+0jy5g1pdt8mQrYKBS G0r9lQVg7xs7j7JKRB35e7UkAeVHu8GXwk4b/vHqZdEHUOHQdceXERJ9aUiYfL2ujqJ6 lPDjC+5v3Xh0f5S3DH/Z9Yn0JI7DRpbknand2k9UFeoeYfCLpNcBSuiiKkomVwJf5x9E D1Ztv7pZl1NI8hhenu3lGvTh+JhyV3KK7NC+Yc6Jt6EtVLKOHieXw3O4wmrjIQ5hmHFH BISH2HWble1kqNIgVyaPSM0r+ubqB1S2EU+hsc+21Qt7TpA72fCP5ZccsD8bgJQiu79c MiSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=toshiba.co.jp Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11-v6si23532838pgt.356.2018.05.30.19.37.46; Wed, 30 May 2018 19:38:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=toshiba.co.jp Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932687AbeEaChK convert rfc822-to-8bit (ORCPT + 99 others); Wed, 30 May 2018 22:37:10 -0400 Received: from mo-csw1115.securemx.jp ([210.130.202.157]:33074 "EHLO mo-csw.securemx.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932620AbeEaChI (ORCPT ); Wed, 30 May 2018 22:37:08 -0400 Received: by mo-csw.securemx.jp (mx-mo-csw1115) id w4V2aobI027535; Thu, 31 May 2018 11:36:50 +0900 X-Iguazu-Qid: 2wGqoE3kiwjayAECJ7 X-Iguazu-QSIG: v=1; s=0; t=1527734209; q=2wGqoE3kiwjayAECJ7; m=2XfrqkSImq9DPsvxyRae1Mtg8YVpeAeJPZjBiHmR0xI= Received: from imx2.toshiba.co.jp (imx2.toshiba.co.jp [106.186.93.51]) by relay.securemx.jp (mx-mr1111) id w4V2alB8037526; Thu, 31 May 2018 11:36:48 +0900 Received: from hop001.toshiba.co.jp ([133.199.164.63]) by imx2.toshiba.co.jp with ESMTP id w4V2albJ019857; Thu, 31 May 2018 11:36:47 +0900 (JST) From: "Daniel Sangorrin" To: "'Greg Kroah-Hartman'" , Cc: , "'Davidlohr Bueso'" , "'Joe Lawrence'" , "'Andrea Arcangeli'" , "'Manfred Spraul'" , "'Andrew Morton'" , "'Linus Torvalds'" References: <20180528100202.045206534@linuxfoundation.org> <20180528100203.357731085@linuxfoundation.org> In-Reply-To: <20180528100203.357731085@linuxfoundation.org> Subject: RE: [PATCH 4.4 011/268] Revert "ipc/shm: Fix shmat mmap nil-page protection" Date: Thu, 31 May 2018 11:36:46 +0900 X-TSB-HOP: ON Message-ID: <005601d3f888$37f266f0$a7d734d0$@toshiba.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIIWZ/WGnaRCO8XjPKf6QObGDbsxQGPOkpho9PiK/A= Content-Language: ja Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > -----Original Message----- > From: stable-owner@vger.kernel.org [mailto:stable-owner@vger.kernel.org] On > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Davidlohr Bueso > > commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream. > > Patch series "ipc/shm: shmat() fixes around nil-page". Sorry for being a bit late (the pace is really fast here). I have found a regression from 4.4.133-rc1 to 4.4.134-rc1 using Fuego LTP wrapper. 4.4.134-rc1 tst_test.c:982: INFO: Timeout per run is 0h 05m 00s cve-2017-5669.c:62: INFO: Attempting to attach shared memory to null page cve-2017-5669.c:74: INFO: Mapped shared memory to (nil) cve-2017-5669.c:78: FAIL: We have mapped a VM address within the first 64Kb cve-2017-5669.c:84: INFO: Touching shared memory to see if anything strange happens 4.4.133-rc1: tst_test.c:982: INFO: Timeout per run is 0h 05m 00s cve-2017-5669.c:62: INFO: Attempting to attach shared memory to null page cve-2017-5669.c:67: PASS: shmat returned EINVAL The culprits should be one or both of the two last commits to ipc/shm (one of them a revert). - ipc/shm: fix shmat() nil address after round-down when remapping - Revert "ipc/shm: Fix shmat mmap nil-page protection" I need to investigate the concrete reason, but for now I just wanted to report it. Thanks, Daniel > > These patches fix two issues reported[1] a while back by Joe and Andrea > around how shmat(2) behaves with nil-page. > > The first reverts a commit that it was incorrectly thought that mapping > nil-page (address=0) was a no no with MAP_FIXED. This is not the case, > with the exception of SHM_REMAP; which is address in the second patch. > > I chose two patches because it is easier to backport and it explicitly > reverts bogus behaviour. Both patches ought to be in -stable and ltp > testcases need updated (the added testcase around the cve can be > modified to just test for SHM_RND|SHM_REMAP). > > [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805 > > This patch (of 2): > > Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") > worked on the idea that we should not be mapping as root addr=0 and > MAP_FIXED. However, it was reported that this scenario is in fact > valid, thus making the patch both bogus and breaks userspace as well. > > For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem > initialization[1]. > > [1] > https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int1 > 0/linux.c#n347 > Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net > Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") > Signed-off-by: Davidlohr Bueso > Reported-by: Joe Lawrence > Reported-by: Andrea Arcangeli > Cc: Manfred Spraul > Cc: > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > Signed-off-by: Greg Kroah-Hartman > > --- > ipc/shm.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > --- a/ipc/shm.c > +++ b/ipc/shm.c > @@ -1113,13 +1113,8 @@ long do_shmat(int shmid, char __user *sh > goto out; > else if ((addr = (ulong)shmaddr)) { > if (addr & (shmlba - 1)) { > - /* > - * Round down to the nearest multiple of shmlba. > - * For sane do_mmap_pgoff() parameters, avoid > - * round downs that trigger nil-page and MAP_FIXED. > - */ > - if ((shmflg & SHM_RND) && addr >= shmlba) > - addr &= ~(shmlba - 1); > + if (shmflg & SHM_RND) > + addr &= ~(shmlba - 1); /* round down */ > else > #ifndef __ARCH_FORCE_SHMLBA > if (addr & ~PAGE_MASK) > >