Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6588932rwb; Mon, 5 Dec 2022 14:47:20 -0800 (PST) X-Google-Smtp-Source: AA0mqf5d4WwXqtYbuBJaFB/IRozJ43OO9QoKJZunY4O3PaaKDrm019Y3AVhqy71atAYTjrWd7shd X-Received: by 2002:a17:906:5156:b0:7c0:efb6:8744 with SMTP id jr22-20020a170906515600b007c0efb68744mr6416423ejc.267.1670280440415; Mon, 05 Dec 2022 14:47:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670280440; cv=none; d=google.com; s=arc-20160816; b=srz96REREKgd9Z05V9qy57mmWQIIVbkXEnv5b9oew6y5rh7KOt3PoRs5WIF6aWOaNb C4cSWMHbkU5JKrxDbGNVDdUN/8CQ6tFpbhhqFxf5gmCqKNUAom7JJCmfw7/6cEOIr+l0 2y/TBzta2aC1/0WFyqZNrRmXf3S0A9DJTorST4996x55uKcyNMuaHXkst2XQTnswMc3Z nREtCOQgsVWYLT57pqqJ/gsHXHtOMx/ut/7G/7n5U5SsjxRAEo/yDkYuNmWdB5aOY+GG XL4GGRxKRdT496zQPypTkZyRix0f51xpa7QdyOFc7UYJfB6YSSTv4r8QTCgnXdsGsXmh fAtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-signature; bh=eZ4WsNiVNXdP/78KYzu1+u6hT2Y7e5e51ZAh5KxKHiQ=; b=LnCeNQMmxP5H9JelOuyuvPGt/ndOtzPSBa1poyb86h2JOZTJovJVmzo/ocZxWOh8bE XTX6oQ6srBPJcVbwEJY+bxapDiTo9t9DtI9N12bvei/f8cqT6Dynvdt4rN2e7jKS1j5L gl49WvZwyuKx/zz9Q7GjNOhEAj4nxm503jrd3Mu4aRyLWK18Qs3ISnWAE8dezk7n/bO7 FxPAC/HsvjsbDLp7tnbIpvj9gkLagvqxPUYyyazCE+NAAxSiYiaMP5Zx5RaN/rs1KLWu x2K0lsZOHNnPqL2gD48TLrukyT8HeCcUiCrKIsNW3r869n2fL+giVtytO5LdZ1G5qlb4 Ic8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=Mz4LSylq; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=cxru7bdK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oz41-20020a1709077da900b0078db371355esi13774178ejc.987.2022.12.05.14.47.01; Mon, 05 Dec 2022 14:47:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=Mz4LSylq; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=cxru7bdK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233716AbiLEW0X (ORCPT + 79 others); Mon, 5 Dec 2022 17:26:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233785AbiLEW0T (ORCPT ); Mon, 5 Dec 2022 17:26:19 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 62CA110544 for ; Mon, 5 Dec 2022 14:26:18 -0800 (PST) Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id E360F1FDB8; Mon, 5 Dec 2022 22:26:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1670279176; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eZ4WsNiVNXdP/78KYzu1+u6hT2Y7e5e51ZAh5KxKHiQ=; b=Mz4LSylqrP8ErHLX6mdTKsIxeP0X3J/KnbGcZy07dbAzqr9lkVLSzNAD59YERGfpuAM4X0 i/pNOJpaizAt9FQw+9Dded+bfrF/16FDjCSHP006daKugmd6ECcgwNutTAHHXoGs4GIFIJ h2FWdnZUqdcwMmsYHrgJQezFQM33nlU= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1670279176; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eZ4WsNiVNXdP/78KYzu1+u6hT2Y7e5e51ZAh5KxKHiQ=; b=cxru7bdKCWSt4HvsfSK/Y0yCYP5U5zJzeIAsJ82Woitkp+SbNNrGGzTYTQT5YhN68ljSa8 ERtNVzU86oSgrJDA== Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap1.suse-dmz.suse.de (Postfix) with ESMTPS id C21DC13326; Mon, 5 Dec 2022 22:26:16 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap1.suse-dmz.suse.de with ESMTPSA id Egi7LghwjmO9dQAAGKfGzw (envelope-from ); Mon, 05 Dec 2022 22:26:16 +0000 Message-ID: <6eb002c8-0e31-7c9f-bb3d-81c4430b296c@suse.cz> Date: Mon, 5 Dec 2022 23:26:16 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs Content-Language: en-US From: Vlastimil Babka To: Jann Horn , Andrew Morton Cc: Liam Howlett , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , Yu Zhao , Jason Donenfeld , Matthew Wilcox , SeongJae Park References: <20221205192304.1957418-1-Liam.Howlett@oracle.com> <20221205123250.3fc552d96fcca5dc58be8443@linux-foundation.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_SOFTFAIL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/5/22 23:13, Vlastimil Babka wrote: > On 12/5/22 22:55, Jann Horn wrote: >> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton wrote: >>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett wrote: >>> > Add more sanity checks to the VMA that do_brk_flags() will expand. >>> > Ensure the VMA matches basic merge requirements within the function >>> > before calling can_vma_merge_after(). >>> >>> I't unclear what's actually being fixed here. >>> >>> Why do you feel we need the above changes? >>> >>> > Drop the duplicate checks from vm_brk_flags() since they will be >>> > enforced later. >>> > >>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()") >>> >>> Fixes in what way? Removing the duplicate checks? >> >> The old code would expand file VMAs on brk(), which is functionally >> wrong and also dangerous in terms of locking because the brk() path >> isn't designed for file VMAs and therefore doesn't lock the file >> mapping. Checking can_vma_merge_after() ensures that new anonymous >> VMAs can't be merged into file VMAs. >> >> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@mail.gmail.com/ And yeah, that URL should have been a Link: in the patch. And the scenario it's fixing described in a bit more detail? > I guess the point is that if we fix it still within 6.1, we don't have to > devise how exactly this is exploitable, but due to the insufficient locking > it most likely is, right?