Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp872323pxu;
        Wed, 16 Dec 2020 17:32:48 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzNAcm6ufyoGNA82VXcFH3F73SobTChNPGRy97mhA3MgRAtYvxfoOoXOz8Y1XXwWR/HYxxX
X-Received: by 2002:aa7:cb49:: with SMTP id w9mr37666674edt.357.1608168768475;
        Wed, 16 Dec 2020 17:32:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1608168768; cv=none;
        d=google.com; s=arc-20160816;
        b=b5sty2cO54k7O5G1z3Xpa6SJmewq8PFGPRoOJk6jR4lSOFFlpJt4qGH2O0zu553AbZ
         xLuIJwIV43LAyvYptqAfjrY7H1Oqyz9hs6fXu+tfDzJuQqqEP9FwZmPZBZFfTebpP88I
         nN+IPYyx2SWYQBqQoh9pYF7Y8GmPiex1I5Gf+rC74j4gHA5yReuT3R7JFyBY18r1tHzf
         RJqOix94FirU2zQ4SK1flHR/r6gv4dqtBpTeC0MFZG2c6yW8QwV0XRO5crmhdt5yVrcg
         2k9L/L0D2BDfRzAWUKuwPt3Ru9/hIZ9dT6HOGb9gyXzWnns/pCe6D/Muiit3pM8B6LOE
         Wrog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version
         :dkim-signature;
        bh=6dQwp+n3JOcX+nLXSXjNOHWl3D3cLU9xBCqYgREOWb4=;
        b=AWOMPRcSc6zYys9Qm6erD+WD1tiayDmMyYTy6DpYwsIUDgDuQilPwhHRqcnzif2imw
         p5XdIyeU62grYuL7xmDtb1WywZDVgGIPz9miAdcd2TMi785/ywhTQsiDJ7T+BZva/pAy
         YYkVpziPCrpScHi16DrP3jDFHSgF80dg28rIHcWa26beLvhArWodDYW8A1Q7kIh+//yO
         qM8JNI4QwrygK+dUC0xebC1YGL+qejXnlisz6Dw6sXmIFP4dXOQdw7B+vaEUd08WcaB6
         +zF65IXRlncZFf00ynuwi3CTL363VMQ/e9lFCTtPmNG/X7TSlCK2qd5MhnJpjlEPxPkE
         q8Iw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@juliacomputing.com header.s=google header.b="ZX4EJ9/O";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y17si3658392edm.386.2020.12.16.17.32.26;
        Wed, 16 Dec 2020 17:32:48 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@juliacomputing.com header.s=google header.b="ZX4EJ9/O";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727857AbgLQBar (ORCPT <rfc822;luzhigang001@gmail.com>
        + 99 others); Wed, 16 Dec 2020 20:30:47 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57788 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725988AbgLQBar (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Dec 2020 20:30:47 -0500
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E195AC061794
        for <linux-kernel@vger.kernel.org>; Wed, 16 Dec 2020 17:30:06 -0800 (PST)
Received: by mail-io1-xd29.google.com with SMTP id z136so25953589iof.3
        for <linux-kernel@vger.kernel.org>; Wed, 16 Dec 2020 17:30:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=juliacomputing.com; s=google;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=6dQwp+n3JOcX+nLXSXjNOHWl3D3cLU9xBCqYgREOWb4=;
        b=ZX4EJ9/Ocdmd7IhRX8jQhFjf4hMjSTgDjilQnqsmpoL5ZCjlyMETnIPYGCPnXiwIRb
         s5VqKC6wxrGqjF1GCxt3JXOr7nraDXdOwD0OcslGBbELo8wseFfXvzzRDIKLgSJnjh9A
         NLole1g3xWlD7ufoyVvZvnzzv8kKPDVTLJOpADdT9m3NTzUlKX5lcyutlFFDB37/GZ83
         vudjC/fPf5pEo/tspUAIcB4nJ3uTYgjVswkiS30xDBDBhDPOCTLSolFVrJQ3ejZYbU2e
         h50z5l3GzomgjwVBOvrX/Gkcny7wDysKiIbNvmSqZdRWzp0eixWr+Dfouo5qGvTHW4kt
         kAHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=6dQwp+n3JOcX+nLXSXjNOHWl3D3cLU9xBCqYgREOWb4=;
        b=CgPNJ5Zpb2Nj/ixOMAo4ZB43md7yjY7I5dCVrf1o605SbxxmZfQqYYcbxhwn1rdPst
         ZvpWSWv3oGbUBgtrXD4olFvl5eFaxcdXe2A8JyNSOXwOw2SEoctVF1ikKP7Z7eeq4OQS
         kuJOA8lZ8STqHZ3kxXx16+pHrzozoNvH9Xjg9zfTZHAdmXSkS74cdhMRvix/5vHvriqF
         btLH9RsxAx0jxFkv+MIFec0B24lqxsMqxGJkRjl6RZNgS+No8sjvzBFT2pH2a9e189dX
         u8v++t1XRnB0s/6K+D2I53ywvBY+eg7FgAhuUKqnP7kSMAJBdrggqgmGU0t2SiLVZzXM
         bC7g==
X-Gm-Message-State: AOAM533GP0vChtCh4PdQkrNUpXhUZ63kn5NQfOTVoErTAESX02zuRlvN
        ETudJ27cxaT9C/45QVjMUl/4Ck8z2WW29fVyX6brszGVhd4oBQ==
X-Received: by 2002:a5e:d70e:: with SMTP id v14mr44715814iom.75.1608168606099;
 Wed, 16 Dec 2020 17:30:06 -0800 (PST)
MIME-Version: 1.0
From:   Keno Fischer <keno@juliacomputing.com>
Date:   Wed, 16 Dec 2020 20:29:30 -0500
Message-ID: <CABV8kRwoHAAdez8k60O+AJ9E3g5_PM0F6tpbpB9dC115_FD3Eg@mail.gmail.com>
Subject: brk checks in PR_SET_MM code
To:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc:     gorcunov@openvz.org, Andrew Morton <akpm@linux-foundation.org>,
        mkoutny@suse.com, ktkhai@virtuozzo.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi all,

The code in prctl(PR_SET_MM, ...) performs a number of sanity checks,
among them

```
/*
 * @brk should be after @end_data in traditional maps.
 */
if (prctl_map->start_brk <= prctl_map->end_data ||
    prctl_map->brk <= prctl_map->end_data)
goto out;
```

The original commit that introduces this check
(f606b77f1a9e362451aca8f81d8f36a3a112139e) says:

```
4) As in regular Elf loading procedure we require that @start_brk and
   @brk be greater than @end_data.
```

However, it does not appear that this invariant is actually
enforced during regular ELF loading. In particular, at least on my
linux distribution, it does not appear to be satisfied when
invoking the dynamic linker directly.
For example, consider the following test application:

```
#include <sys/prctl.h>
#include <unistd.h>
#include <assert.h>

int main(void) {
    int err = prctl(PR_SET_MM, PR_SET_MM_BRK, sbrk(0), 0, 0);
    assert(err == 0);
    return 0;
}
```
```
$ su
# ./a.out
# /lib64/ld-linux-x86-64.so.2 ./a.out
a.out: test.c:7: main: Assertion `err == 0' failed.
Aborted
```

I don't understand this code well enough to know what the
intended behavior is, but unfortunately this causes some
processes to be non-restorable using the PR_SET_MM
mechanism, which defeats the whole purpose of that API.
Could somebody clarify whether this situation is indeed
supposed to be impossible and if not whether said checks
in PR_SET_MM are actually supposed to be there?
I suppose this is also technically a regression when the
old PR_SET_MM commands were refactored to use this
new validation. Previously only the commands that changed
the brk validated this invariant, but these days it tries
to validate the entire structure at once, so all the PR_SET_MM
calls will fail in a process whose layout violates the sanity
check.

Thanks,
Keno