Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3764687pxb; Mon, 30 Aug 2021 10:06:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAkiZFvgB8StH4+4r2SjE64r+2zHQmzgC1XzpTiEDg/bJALT0esj7a3v7/TrnvGvH5w4i2 X-Received: by 2002:a17:906:2bc3:: with SMTP id n3mr26504425ejg.548.1630343171476; Mon, 30 Aug 2021 10:06:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630343171; cv=none; d=google.com; s=arc-20160816; b=dGtxxTYFvqtPvngWLy40BwYa2FBki2WZGCfxkAunUUL5eq8J74E3+/xn4Mjbz43s18 aWlTrnBWUJiBapZilID4jRtaasLVPJhYVxia+xJRuPEAxacD8Mi4mQaGgERDvUtOv+v7 J6jWwEOkOGpV3ujcw+/RX6V7ogPX7Zq8FQloXLjjxFTEL0/F25TM3CZPrU3BgrfYw5vU TfJlz1g09sxIYlUvOWLCQVH0IgYpwVkJY3oB7szgF2l5YikI69NEaomailZwphBZkOCk T4OUkjQERXpO6kIyD27tagE2GdhwBw4uHNHsBKUzSHp1R3lQX2iNjL9ORyEzvVpksMOL X9hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=xoB9y/6gb5tvI+qqY/ALh9vMOrQQ9QlAyNC2IX3tc1Y=; b=aXpQz5yLZGEdWGgTKkBIpujTH1V7GOCtYEHiPNvyfbIilM7ZQaLcA23E0zNBWBW8/o 2gQ65Oj9OBh31Fkn+rFyomJlXa/4T2jUH0G7O9p5IrXq6CpCIfDfrxdIwxD2CbLmNZud 0rR7yAgEj+S/6RYMX7LfFllT3Ta4wgY3ngcNVysJAnHVduxsoD6k9aJ+tncOAvZo5lV1 8ZfMFNi7WWkygpEQ7aRzJ8A2fj5YHhbA2qK5sUUJ/Mj25lsEXzuAaBWbKcaWzW7aBQQ0 7jV1rAv8EsCvWVwyv/OJbSc3HLYkEDEzDM3tyrrOSMdl63zyTD7vJ1JKdOUXIiXq4/1W K0MQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=pqZfVDzw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ar9si20020498ejc.611.2021.08.30.10.05.40; Mon, 30 Aug 2021 10:06:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=pqZfVDzw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237989AbhH3RE0 (ORCPT + 99 others); Mon, 30 Aug 2021 13:04:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237892AbhH3RET (ORCPT ); Mon, 30 Aug 2021 13:04:19 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBB81C06175F; Mon, 30 Aug 2021 10:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=xoB9y/6gb5tvI+qqY/ALh9vMOrQQ9QlAyNC2IX3tc1Y=; b=pqZfVDzw4vekFytMGTd+nWCCR8 2YO5nnghGG2115wp916H67WC44RJL9F0/DeML/IkIabm+LR2wvHyAok6I3oHh6Axa9yufbd4+LYjx doZkgz/i7MqsMhY8LYZePDVgGDNyXh947bd+P/ghJT/ePsYjVsJURruhNp4aEO5QqrLKmIIfyWudl 8eAY6GmK6ZhUo2HYv4dsXb5gIYpULHzMCdyK8iaEZb1wdlf1UGuYdTlO2yw0au6tLyxDKVBOcJtEm vUeyPfSGhfyZEy+jr+e9eMOHZFqPagB/WsG4e4noe+wRFWjha8yZ3lCS5TlSiPaW4GZ3p5kChwJr7 sILUD6WQ==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mKkci-000LX7-Qk; Mon, 30 Aug 2021 16:59:09 +0000 Date: Mon, 30 Aug 2021 17:59:04 +0100 From: Matthew Wilcox To: Suren Baghdasaryan Cc: Rasmus Villemoes , Kees Cook , Andrew Morton , Colin Cross , Sumit Semwal , Michal Hocko , Dave Hansen , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , Jonathan Corbet , Al Viro , Randy Dunlap , Kalesh Singh , Peter Xu , rppt@kernel.org, Peter Zijlstra , Catalin Marinas , vincenzo.frascino@arm.com, Chinwen Chang =?utf-8?B?KOW8temMpuaWhyk=?= , Axel Rasmussen , Andrea Arcangeli , Jann Horn , apopple@nvidia.com, John Hubbard , Yu Zhao , Will Deacon , fenghua.yu@intel.com, thunder.leizhen@huawei.com, Hugh Dickins , feng.tang@intel.com, Jason Gunthorpe , Roman Gushchin , Thomas Gleixner , krisman@collabora.com, chris.hyser@oracle.com, Peter Collingbourne , "Eric W. Biederman" , Jens Axboe , legion@kernel.org, Rolf Eike Beer , Muchun Song , Viresh Kumar , Thomas Cedeno , sashal@kernel.org, cxfcosmos@gmail.com, LKML , linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm , kernel-team Subject: Re: [PATCH v8 2/3] mm: add a field to store names for private anonymous memory Message-ID: References: <20210827191858.2037087-1-surenb@google.com> <20210827191858.2037087-3-surenb@google.com> <202108272228.7D36F0373@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 30, 2021 at 09:16:14AM -0700, Suren Baghdasaryan wrote: > On Mon, Aug 30, 2021 at 1:12 AM Rasmus Villemoes > wrote: > > > > On 28/08/2021 23.47, Suren Baghdasaryan wrote: > > > On Fri, Aug 27, 2021 at 10:52 PM Kees Cook wrote: > > >> > > >>>> + case PR_SET_VMA_ANON_NAME: > > >>>> + name = strndup_user((const char __user *)arg, > > >>>> + ANON_VMA_NAME_MAX_LEN); > > >>>> + > > >>>> + if (IS_ERR(name)) > > >>>> + return PTR_ERR(name); > > >>>> + > > >>>> + for (pch = name; *pch != '\0'; pch++) { > > >>>> + if (!isprint(*pch)) { > > >>>> + kfree(name); > > >>>> + return -EINVAL; > > >>> > > >>> I think isprint() is too weak a check. For example, I would suggest > > >>> forbidding the following characters: ':', ']', '[', ' '. Perhaps > > > > Indeed. There's also the issue that the kernel's ctype actually > > implements some almost-but-not-quite latin1, so (some) chars above 0x7f > > would also pass isprint() - while everybody today expects utf-8, so the > > ability to put almost arbitrary sequences of chars with the high bit set > > could certainly confuse some parsers. IOW, don't use isprint() at all, > > just explicitly check for the byte values that we and up agreeing to > > allow/forbid. > > > > >>> isalnum() would be better? (permit a-zA-Z0-9) I wouldn't necessarily > > >>> be opposed to some punctuation characters, but let's avoid creating > > >>> confusion. Do you happen to know which characters are actually in use > > >>> today? > > >> > > >> There's some sense in refusing [, ], and :, but removing " " seems > > >> unhelpful for reasonable descriptors. As long as weird stuff is escaped, > > >> I think it's fine. Any parser can just extract with m|\[anon:(.*)\]$| > > > > > > I see no issue in forbidding '[' and ']' but whitespace and ':' are > > > currently used by Android. Would forbidding or escaping '[' and ']' be > > > enough? > > > > how about allowing [0x20, 0x7e] except [0x5b, 0x5d], i.e. all printable > > (including space) ascii characters, except [ \ ] - the brackets as > > already discussed, and backslash because then there's nobody who can get > > confused about whether there's some (and then which?) escaping mechanism > > in play - "\n" is simply never going to appear. Simple rules, easy to > > implement, easy to explain in a man page. > > Thanks for the suggestion, Rasmus. I'm all for keeping it simple. > Kees, Matthew, would that be acceptable? Yes, I think so. It permits all kinds of characters that might be confusing if passed on to something else, but we can't prohibit everything, and forbidding just these three should remove any confusion for any parser of /proc. Little Bobby Tables thanks you.