Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3413400pxb; Mon, 30 Aug 2021 01:14:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJa0v859vHruaP8KcrhbZIfoe64DVlu8gbTd8jtjkA0bTzvY5BwY8g68cvC2M2VagA1BpT X-Received: by 2002:a17:906:cecd:: with SMTP id si13mr3088130ejb.93.1630311257373; Mon, 30 Aug 2021 01:14:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630311257; cv=none; d=google.com; s=arc-20160816; b=uy3KnJqK5eXA4UurJJXxSyZowAQnH8SLNdwN+mWld66OGoQp/swtwagfVqcZFXPQSh VuJwVdU1oFz57w1Ri+pWcGtkOwCnVFgxLmIG6IsLQiunrsVAcPuD6EQyDfY0zAcYyr5O 7Ce4vKlqYK3dIeUYIqqtEoLssbQMM0lhd0eEN8sm+Bpq1uuJL18olr6aMMI2G8ddm1a8 Cmb+Zh4LSKHVq8eN2du+yhh16vBcWGAL3A+kTOXBh+kbMRXc7zjbV/fXtW9dj5yG5Qd+ +w2o7db8r3LqFFP6YR0qIArayZq5syQ6C3vmt1WdUIC3nSt5mC8BmO6irQ9KrQxpFbne 6rhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=37NPYMAcAJ2zN2cJYUDeD0UMO7gOVKhQ3wSJbKTk4Y4=; b=X1y/7lu6y358UiyYB9B2yHcZHk1l+02NG1Qmy1M/qDQ2UNGgCnSlrXG32HyQ38bged GPssWnUye9v4xT0hIr4MLz1wAam9sX8WwfpXQQ7yr0Jpca1KmBN1hyo6EV9WMO9QUiN6 if7D0Y13lvoL4FuUGCxaT2SFtumxKaLwI2GYjBiibQr2SPSjKKbCuGsBaregi8xCAflG kGd3Yy2KFqdduVH6tF71cVzkSNjG0uGxgnrxNofh60NvH3k4jIM5p1gsoN3SMOgiwP64 0HGaw+I3l0880DXJa3uKZZEpcPTdpuBn4SycD1Xl5rv26tzvOMH90LECu/CisUAKWm15 8W9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=GCDOzcNz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m25si14009914edp.132.2021.08.30.01.13.53; Mon, 30 Aug 2021 01:14:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=GCDOzcNz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234308AbhH3INR (ORCPT + 99 others); Mon, 30 Aug 2021 04:13:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234173AbhH3INQ (ORCPT ); Mon, 30 Aug 2021 04:13:16 -0400 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16742C061760 for ; Mon, 30 Aug 2021 01:12:22 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id j4so29560903lfg.9 for ; Mon, 30 Aug 2021 01:12:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=37NPYMAcAJ2zN2cJYUDeD0UMO7gOVKhQ3wSJbKTk4Y4=; b=GCDOzcNzVhs4IQ7426ZVN03J0Ko2sEjG9cQEZGeMHf7zHH0uTul5FY+dMxWAJAq77p j+8i+7QJbELQPKI4PT+dLeghPh3S68CXIvvm52+XXL80drAEs96e4nX4qMjOTIzgJVC8 cARoPXDw1opzv8Bt2MuT5eD6UsHeTs6ZLJSBo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=37NPYMAcAJ2zN2cJYUDeD0UMO7gOVKhQ3wSJbKTk4Y4=; b=WrAbFH/NBdkf7umSNsnpQR0sc87hS45BkXUe73T81ntSqhun3yySEqhYy4cdHtCQB8 E76cKh/FD1/lAtWugElz3AkOn24AjET57HwBzfB2/j6469/QSGqyKCdw/8W9m+nOO7Fs qLYAhHaxCpHqSQqSsEi497ZumHcV/YC/Tgc9RC3+fDqy1FUvnQ6eDD33AR3WzrGJPzPb LBz2/vz2obReXoWyU3xbzcdesg5LlYrdcu+TqQMtYNRGeM2NY1lVOwZ+5SHnSKD0sMp2 wHLS88C/wHTLbOcqHtIL2rHLH3ble78Vz7bDy2oPxHAtnnjJn6k+SOyzEMk7PI1Wr6Nt jsRQ== X-Gm-Message-State: AOAM533Gj5/nK2cO3cSkc5wmd4PWiJU5Sj8Z/2nT2xe5xodCAqc/MCVy J/mpe5t8H5CWHedWSXBYqkS+uw== X-Received: by 2002:a05:6512:1686:: with SMTP id bu6mr16774526lfb.168.1630311141001; Mon, 30 Aug 2021 01:12:21 -0700 (PDT) Received: from [172.16.11.1] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id e4sm676505lfc.141.2021.08.30.01.12.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 30 Aug 2021 01:12:20 -0700 (PDT) Subject: Re: [PATCH v8 2/3] mm: add a field to store names for private anonymous memory To: Suren Baghdasaryan , Kees Cook Cc: Matthew Wilcox , Andrew Morton , Colin Cross , Sumit Semwal , Michal Hocko , Dave Hansen , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , Jonathan Corbet , Al Viro , Randy Dunlap , Kalesh Singh , Peter Xu , rppt@kernel.org, Peter Zijlstra , Catalin Marinas , vincenzo.frascino@arm.com, =?UTF-8?B?Q2hpbndlbiBDaGFuZyAo5by16Yym5paHKQ==?= , Axel Rasmussen , Andrea Arcangeli , Jann Horn , apopple@nvidia.com, John Hubbard , Yu Zhao , Will Deacon , fenghua.yu@intel.com, thunder.leizhen@huawei.com, Hugh Dickins , feng.tang@intel.com, Jason Gunthorpe , Roman Gushchin , Thomas Gleixner , krisman@collabora.com, chris.hyser@oracle.com, Peter Collingbourne , "Eric W. Biederman" , Jens Axboe , legion@kernel.org, eb@emlix.com, Muchun Song , Viresh Kumar , thomascedeno@google.com, sashal@kernel.org, cxfcosmos@gmail.com, linux@rasmusvillemoes.dk, LKML , linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm , kernel-team References: <20210827191858.2037087-1-surenb@google.com> <20210827191858.2037087-3-surenb@google.com> <202108272228.7D36F0373@keescook> From: Rasmus Villemoes Message-ID: Date: Mon, 30 Aug 2021 10:12:18 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 28/08/2021 23.47, Suren Baghdasaryan wrote: > On Fri, Aug 27, 2021 at 10:52 PM Kees Cook wrote: >> >>>> + case PR_SET_VMA_ANON_NAME: >>>> + name = strndup_user((const char __user *)arg, >>>> + ANON_VMA_NAME_MAX_LEN); >>>> + >>>> + if (IS_ERR(name)) >>>> + return PTR_ERR(name); >>>> + >>>> + for (pch = name; *pch != '\0'; pch++) { >>>> + if (!isprint(*pch)) { >>>> + kfree(name); >>>> + return -EINVAL; >>> >>> I think isprint() is too weak a check. For example, I would suggest >>> forbidding the following characters: ':', ']', '[', ' '. Perhaps Indeed. There's also the issue that the kernel's ctype actually implements some almost-but-not-quite latin1, so (some) chars above 0x7f would also pass isprint() - while everybody today expects utf-8, so the ability to put almost arbitrary sequences of chars with the high bit set could certainly confuse some parsers. IOW, don't use isprint() at all, just explicitly check for the byte values that we and up agreeing to allow/forbid. >>> isalnum() would be better? (permit a-zA-Z0-9) I wouldn't necessarily >>> be opposed to some punctuation characters, but let's avoid creating >>> confusion. Do you happen to know which characters are actually in use >>> today? >> >> There's some sense in refusing [, ], and :, but removing " " seems >> unhelpful for reasonable descriptors. As long as weird stuff is escaped, >> I think it's fine. Any parser can just extract with m|\[anon:(.*)\]$| > > I see no issue in forbidding '[' and ']' but whitespace and ':' are > currently used by Android. Would forbidding or escaping '[' and ']' be > enough? how about allowing [0x20, 0x7e] except [0x5b, 0x5d], i.e. all printable (including space) ascii characters, except [ \ ] - the brackets as already discussed, and backslash because then there's nobody who can get confused about whether there's some (and then which?) escaping mechanism in play - "\n" is simply never going to appear. Simple rules, easy to implement, easy to explain in a man page. >> >> For example, just escape it here instead of refusing to take it. Something >> like: >> >> name = strndup_user((const char __user *)arg, >> ANON_VMA_NAME_MAX_LEN); >> escaped = kasprintf(GFP_KERNEL, "%pE", name); I would not go down that road. First, it makes it much harder to explain the rules for what are allowed and not allowed. Second, parsers become much more complicated. Third, does the length limit then apply to the escaped or unescaped string? Rasmus