Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp5098978rwr; Mon, 8 May 2023 18:22:40 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7WdJrk5nhWEYFuOY/TCuqnCR3oWZrwc2pr+/R+vuPvcVynK3h+HfzDz93LJsaybLcLbH5B X-Received: by 2002:a05:6a00:2d85:b0:646:8515:c763 with SMTP id fb5-20020a056a002d8500b006468515c763mr3405791pfb.9.1683595359803; Mon, 08 May 2023 18:22:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683595359; cv=none; d=google.com; s=arc-20160816; b=pRMTnQ5gkXexGJRXND3ByEUkGTcFYJBordjbuNm+t6Wls/TJX0dVXmpciqLufcbykQ ho3lvWXpMV0nzrNSvHF2Fjt5n12K0LHCvfvXGglfzjJiHD43CEb4F0+rSmXayujcE53y hH2LCs1UgxPzDiJMEHEztYwt547TGxQ1EhboYiEgG7mST9Oor1drFdoAdaHoZr6IiQtL UK1yVaHgjFTuDL/IeqwHIGTtl3xCYXA1SHIzN0x7ob1TeTAKa4RgLGb3SwJpovSUpqvX KXSnI/TAGSM+86bPG4Rx88s/r/Xx5nc59+6h8UaOVi08rpLk3dRLwAqQ5nP5bjQNwPNs 4RvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=xjbIFdYA7ZLprFEPKvqLjiDfPiU+1R5Mk42cfin4h/Q=; b=Fbw+K2WXXOAEaulL4PHQJ+sN5W8lWvpT0tblSWIYkdD7K22i2QR7YEhJoCv+yE9Eon 2d/SJMoi21cYWy2/QB/VZBMXFRTUzx5DLSN8vk/z/uty3juwYW+iWdDiIOltrecUcfX5 kXKcwnQE33naW6arjQdCSdPA2Z0jyP5pL+aP0LLr8Brht1K5Lh2q1QkTfc4KIWsjfD3X LNEclxzCRzGV3loAt1HdnDeur59yIXV3sYcUc/iV3zDmwaMV7gQiORCT/OwovRGOeEiy kcwWWMFNLh0x22gJpyHkhwkCx5O+FyxTJxhtJht0Glti7QZPjK5YznYr/2LQmNKv7V5C +9Mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@pku.edu.cn header.s=dkim header.b=WbMwtobw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=pku.edu.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bv9-20020a632e09000000b0051b5de41857si299466pgb.101.2023.05.08.18.22.25; Mon, 08 May 2023 18:22:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@pku.edu.cn header.s=dkim header.b=WbMwtobw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=pku.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231249AbjEIBS4 (ORCPT + 99 others); Mon, 8 May 2023 21:18:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229455AbjEIBSz (ORCPT ); Mon, 8 May 2023 21:18:55 -0400 Received: from pku.edu.cn (mx18.pku.edu.cn [162.105.129.181]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0286E4C11; Mon, 8 May 2023 18:18:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:Date:From:To:Cc:Subject: Message-ID:References:MIME-Version:Content-Type: Content-Disposition:Content-Transfer-Encoding:In-Reply-To; bh=xj bIFdYA7ZLprFEPKvqLjiDfPiU+1R5Mk42cfin4h/Q=; b=WbMwtobwt590XE+dzh IeLxtinZTW5dxH1VZtgmW0nJKYcFZwCFNLxCZK0TcQa8v6ldiawiQunedj/NxO49 cxDC4QO7CEYcxzdLxNZHf4Y0lLBAf/RDrs4WsBOR/Jt6nIXsBX8IKjE4hBlL7tG0 diZZkFUnN+FeQLbuAEztlQhAo= Received: from localhost (unknown [10.7.101.92]) by front01 (Coremail) with SMTP id 5oFpogCXHz5Wn1lkGk5PAg--.4269S2; Tue, 09 May 2023 09:18:18 +0800 (CST) Date: Tue, 9 May 2023 09:18:14 +0800 From: Ruihan Li To: Pasha Tatashin Cc: David Hildenbrand , Matthew Wilcox , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com, Ruihan Li Subject: Re: usbdev_mmap causes type confusion in page_table_check Message-ID: References: <366ab078-1101-421c-691d-34f5efe006b5@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-CM-TRANSID: 5oFpogCXHz5Wn1lkGk5PAg--.4269S2 X-Coremail-Antispam: 1UD129KBjvJXoWxXr48Jr4Dtr1kCr4rXr43Jrb_yoW5uFyxpa y3t3W7Crs8GFn8X34qvwn5ZryFyrs3X3y8Xrn8X3s8C3s8trySkr1Syr12va4akrWfA3Wj vFWYga4rAay5Aa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUB01xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVWxJr0_GcWl84ACjcxK6I8E 87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1lnxkEFVAIw20F6c xK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2Wl Yx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbV WUJVW8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2 Y2ka0xkIwI1lc2xSY4AK6svPMxAIw28IcxkI7VAKI48JMxAIw28IcVCjz48v1sIEY20_Kr 1UJr1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8G jcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2I x0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK 8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I 0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUOlksUUUUU X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEEBVPy770DbwAPsS X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks for the discussion! On Mon, May 08, 2023 at 05:07:26PM -0700, Pasha Tatashin wrote: > On Mon, May 8, 2023 at 4:37 PM David Hildenbrand wrote: > > > > On 09.05.23 01:21, Pasha Tatashin wrote: > > >> For normal Kernel-MM operations, vm_normal_page() should be used to > > >> get "struct page" based on vma+addr+pte combination, but > > >> page_table_check does not use vma for its operation in order to > > >> strengthen the verification of no invalid page sharing. But, even > > > > I'm not sure if that's the right approach for this case here, though. > > > > >> vm_normal_page() can cause access to the "struct page" for VM_PFNMAP > > >> if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct > > >> page for a user mapped slab page. > > > > > > Only for !ARCH_HAS_PTE_SPECIAL case, otherwise NULL is returned. > > > > That would violate VM_PFNMAP semantics, though. I remember that there > > was a trick to it. > > > > Assuming we map /dev/mem, what stops a page we mapped and determined to > > be !anon to be freed and reused, such that we suddenly have an anon page > > mappped? > > > > In that case, we really don't want to look at the "struct page" ever, no? > > Good point. page_table_check just does not work well /dev/mem. I am > thinking of adding BUG_ON(PageSlab(page); and also "depends on > !DEVMEM" for the PAGE_TABLE_CHECK config option. > > Pasha Agreed. I have previously thought about using something like anon = !PageSlab(page) && PageAnon(page); or BUG(PageSlab(page)) in page_table_check_*. But this just does not work well with /dev/mem, and cannot be made to work unless something like VM_PFNMAP is involved. The reason is that both PageSlab(page) and PageAnon(page) can evaluate to different values when mapping and unmapping the same page, since the page number can be totally arbitrary. But if we do not want /dev/mem to work with PAGE_TABLE_CHECK, this is what I doubted and Pasha confirmed earlier, On Mon, May 08, 2023 at 05:27:10PM -0400, Pasha Tatashin wrote: > On Sun, May 7, 2023 at 9:58 AM Ruihan Li wrote: > > This does not actually fix the type confusion bug in page_table_check_*. It > > should be noted that by leveraging /dev/mem, users can map arbitrary physical > > memory regions into the user space, which is also achieved through > > remap_pfn_range. I'm not 100% certain whether a fix is necessary, as one may > > argue that using page table checks (a kernel hardening technique, which means > > security is important) and /dev/mem (clearly insecure and potentially > > Yes, /dev/mem device is a security problem, and would not work with a > hardern kernel. > > > exploitable) together is completely unreasonable. we should enforce this explicitly (and perhaps document it explicitly as well), and the exact way to do this is to make the PAGE_TABLE_CHECK config option dependent on !DEVMEM. This also implies that we must fix hcd_buffer_alloc on the usb side as well. I am also not sure if there are other uses of remap_pfn_range on slab pages (as David asked earlier) besides usbfs and /dev/mem. Maybe the calls to remap_pfn_range (and other functions that can map the userspace memory?) need to be manually checked one by one. But later I can first try this approach at least, and see if anything goes wrong (though unlikely). Thanks, Ruihan Li