Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1181616ybf; Thu, 27 Feb 2020 06:26:16 -0800 (PST) X-Google-Smtp-Source: APXvYqz7VzDmKLgv9Csufci0lV29dEezHox2a82KM0pStkPV2BAcwd7pP92ozFnX1CRjoHaAyrv0 X-Received: by 2002:a05:6830:1e14:: with SMTP id s20mr3602105otr.322.1582813576177; Thu, 27 Feb 2020 06:26:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582813576; cv=none; d=google.com; s=arc-20160816; b=0XEkHCmGIq2l/iJKZHvpqrvmfqwqlvJ+xi3/IAen2bubhe5NtfuibaHk2A6MAAYD3y 64f20CAokUYWFavPxuYOI85osZb0QPh67eD4sGemQbyhglZy63wSgT0sc87v/hcddc61 B/gTfunun2SJkhkj+24t2Ft3iJBHqsDkSL0iwgMBh9lkq121awYaHk1VG/P2oZMNP7Uu Ap2SUeAByZmokNl0CSG+DZ3RjFYcRbablURGEbuUkbzuxrom9Mhe0u72dDnGutmnUcdb I733OPKC/x4PKKeC71ovvzgX8775Oc4OYkE7Fuzbnuj382lAdG5I2TgC0tTtp+nsgTzH hCOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TmDWQbUf5IfH+zqR7IkNSY2xvqrxPulCa0tnsqGzUKU=; b=sF2l7es8xxFoYKG+ZH3EQ9hsKLHunE8w6yAR7T75gCsgtiF3ykjwSxbF4nI7fVpmXw So/9hYdY3z+Cc3U6fVeKnRoBUFgJdXSoz6LXPhlAx2lxdO2Z51l/Qy/AhTQ9V13o6ki7 cq2wpbRhIrwXkFFmmixkHAnm9XFbvlG3q0RQ/qPhKRDFAXdaZ1ft3w2ZVdZyH2ZGWt9e 8d9BjtFz51hLXD0FP7o/2xuT4hcv3wpVQmMHD35S02fMQxTU6z60ZM5BHWgAoSmnzdhZ S5+PAdMEa1LH19/KnacMFMYNhxldIOEQNvTJD8++VkieI/IUEJyQ0AXOtOhUXKIyyQSa BbFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pBXIE3Rj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e64si1508114oib.4.2020.02.27.06.26.04; Thu, 27 Feb 2020 06:26:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pBXIE3Rj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389377AbgB0OZ3 (ORCPT + 99 others); Thu, 27 Feb 2020 09:25:29 -0500 Received: from mail.kernel.org ([198.145.29.99]:49608 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387461AbgB0OLM (ORCPT ); Thu, 27 Feb 2020 09:11:12 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0174B20578; Thu, 27 Feb 2020 14:11:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582812671; bh=mvXX6h+kds8LV+p+JhJq3T4Jlw4AlEPL8NKmekeMBgg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pBXIE3RjpqrFufJJmqJFLzVE+wV9bm6zo9KoZl3wL4M6ZHjYrnSCik4IKi80SjC/f 4NVN9nx/R3iLVkuvy4jWIpHOAxKQRuzPk+UZ+ZVddokZk3+73lSK7y0v51hjq6bmOe S58dHRQKHSKukeODnKSifsdt8Yviy7edEVPvRMs0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Weimer , Andrew Morton , Victor Stinner , Will Deacon , Andrey Konovalov , Catalin Marinas Subject: [PATCH 5.4 069/135] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap() Date: Thu, 27 Feb 2020 14:36:49 +0100 Message-Id: <20200227132239.672430340@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200227132228.710492098@linuxfoundation.org> References: <20200227132228.710492098@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Catalin Marinas commit dcde237319e626d1ec3c9d8b7613032f0fd4663a upstream. Currently the arm64 kernel ignores the top address byte passed to brk(), mmap() and mremap(). When the user is not aware of the 56-bit address limit or relies on the kernel to return an error, untagging such pointers has the potential to create address aliases in user-space. Passing a tagged address to munmap(), madvise() is permitted since the tagged pointer is expected to be inside an existing mapping. The current behaviour breaks the existing glibc malloc() implementation which relies on brk() with an address beyond 56-bit to be rejected by the kernel. Remove untagging in the above functions by partially reverting commit ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In addition, update the arm64 tagged-address-abi.rst document accordingly. Link: https://bugzilla.redhat.com/1797052 Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk") Cc: # 5.4.x- Cc: Florian Weimer Reviewed-by: Andrew Morton Reported-by: Victor Stinner Acked-by: Will Deacon Acked-by: Andrey Konovalov Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman --- Documentation/arm64/tagged-address-abi.rst | 11 +++++++++-- mm/mmap.c | 4 ---- mm/mremap.c | 1 - 3 files changed, 9 insertions(+), 7 deletions(-) --- a/Documentation/arm64/tagged-address-abi.rst +++ b/Documentation/arm64/tagged-address-abi.rst @@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two s how the user addresses are used by the kernel: 1. User addresses not accessed by the kernel but used for address space - management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use - of valid tagged pointers in this context is always allowed. + management (e.g. ``mprotect()``, ``madvise()``). The use of valid + tagged pointers in this context is allowed with the exception of + ``brk()``, ``mmap()`` and the ``new_address`` argument to + ``mremap()`` as these have the potential to alias with existing + user addresses. + + NOTE: This behaviour changed in v5.6 and so some earlier kernels may + incorrectly accept valid tagged pointers for the ``brk()``, + ``mmap()`` and ``mremap()`` system calls. 2. User addresses accessed by the kernel (e.g. ``write()``). This ABI relaxation is disabled by default and the application thread needs to --- a/mm/mmap.c +++ b/mm/mmap.c @@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) bool downgraded = false; LIST_HEAD(uf); - brk = untagged_addr(brk); - if (down_write_killable(&mm->mmap_sem)) return -EINTR; @@ -1583,8 +1581,6 @@ unsigned long ksys_mmap_pgoff(unsigned l struct file *file = NULL; unsigned long retval; - addr = untagged_addr(addr); - if (!(flags & MAP_ANONYMOUS)) { audit_mmap_fd(fd, flags); file = fget(fd); --- a/mm/mremap.c +++ b/mm/mremap.c @@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, a LIST_HEAD(uf_unmap); addr = untagged_addr(addr); - new_addr = untagged_addr(new_addr); if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) return ret;