From: Oleg Nesterov <oleg@redhat.com>
To: Mike Frysinger <vapier.adi@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
Roland McGrath <roland@redhat.com>,
linux-sh@vger.kernel.org, Paul Mundt <lethal@linux-sh.org>,
uclinux-dist-devel@blackfin.uclinux.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] blackfin: ptrace: fix the unsafe usage of mm/find_vma
Date: Thu, 27 May 2010 19:56:09 +0000 [thread overview]
Message-ID: <20100527195609.GB25935@redhat.com> (raw)
In-Reply-To: <20100527195544.GA25935@redhat.com>
1. is_user_addr_valid() must not assume child->mm != NULL, we can
race with SIGKILL. Use get_task_mm().
2. find_vma() needs mm->mmap_sem, we can race with another thread
which shares ->mm with the tracee.
3. Move the simple FIXED_CODE_ checks up, before other potentially
costly checks, and thus outside of mmap_sem.
4. Uninline it, it is fat and has 2 callers.
Note: we scan mm->context.sram_list under mmap_sem too. Currently this
is unnecessary, but see the next patch.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
arch/blackfin/kernel/ptrace.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
--- 34-rc1/arch/blackfin/kernel/ptrace.c~IUAV_1_GET_MM_TAKE_SEM 2010-05-27 17:52:36.000000000 +0200
+++ 34-rc1/arch/blackfin/kernel/ptrace.c 2010-05-27 20:07:10.000000000 +0200
@@ -113,29 +113,40 @@ put_reg(struct task_struct *task, long r
/*
* check that an address falls within the bounds of the target process's memory mappings
*/
-static inline int is_user_addr_valid(struct task_struct *child,
+static int is_user_addr_valid(struct task_struct *child,
unsigned long start, unsigned long len)
{
+ struct mm_struct *mm;
struct vm_area_struct *vma;
struct sram_list_struct *sraml;
+ int ret = 0;
/* overflow */
if (start + len < start)
return -EIO;
+ if (start >= FIXED_CODE_START && start + len < FIXED_CODE_END)
+ return 0;
- vma = find_vma(child->mm, start);
+ mm = get_task_mm(child);
+ if (!mm)
+ return -EIO;
+
+ down_read(&mm->mmap_sem);
+ vma = find_vma(mm, start);
if (vma && start >= vma->vm_start && start + len <= vma->vm_end)
- return 0;
+ goto out;
- for (sraml = child->mm->context.sram_list; sraml; sraml = sraml->next)
+ for (sraml = mm->context.sram_list; sraml; sraml = sraml->next)
if (start >= (unsigned long)sraml->addr
&& start + len < (unsigned long)sraml->addr + sraml->length)
- return 0;
+ goto out;
- if (start >= FIXED_CODE_START && start + len < FIXED_CODE_END)
- return 0;
+ ret = -EIO;
+out:
+ up_read(&mm->mmap_sem);
+ mmput(mm);
- return -EIO;
+ return ret;
}
/*
WARNING: multiple messages have this Message-ID (diff)
From: Oleg Nesterov <oleg@redhat.com>
To: Mike Frysinger <vapier.adi@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
Roland McGrath <roland@redhat.com>,
linux-sh@vger.kernel.org, Paul Mundt <lethal@linux-sh.org>,
uclinux-dist-devel@blackfin.uclinux.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] blackfin: ptrace: fix the unsafe usage of mm/find_vma in is_user_addr_valid()
Date: Thu, 27 May 2010 21:56:09 +0200 [thread overview]
Message-ID: <20100527195609.GB25935@redhat.com> (raw)
In-Reply-To: <20100527195544.GA25935@redhat.com>
1. is_user_addr_valid() must not assume child->mm != NULL, we can
race with SIGKILL. Use get_task_mm().
2. find_vma() needs mm->mmap_sem, we can race with another thread
which shares ->mm with the tracee.
3. Move the simple FIXED_CODE_ checks up, before other potentially
costly checks, and thus outside of mmap_sem.
4. Uninline it, it is fat and has 2 callers.
Note: we scan mm->context.sram_list under mmap_sem too. Currently this
is unnecessary, but see the next patch.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
arch/blackfin/kernel/ptrace.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
--- 34-rc1/arch/blackfin/kernel/ptrace.c~IUAV_1_GET_MM_TAKE_SEM 2010-05-27 17:52:36.000000000 +0200
+++ 34-rc1/arch/blackfin/kernel/ptrace.c 2010-05-27 20:07:10.000000000 +0200
@@ -113,29 +113,40 @@ put_reg(struct task_struct *task, long r
/*
* check that an address falls within the bounds of the target process's memory mappings
*/
-static inline int is_user_addr_valid(struct task_struct *child,
+static int is_user_addr_valid(struct task_struct *child,
unsigned long start, unsigned long len)
{
+ struct mm_struct *mm;
struct vm_area_struct *vma;
struct sram_list_struct *sraml;
+ int ret = 0;
/* overflow */
if (start + len < start)
return -EIO;
+ if (start >= FIXED_CODE_START && start + len < FIXED_CODE_END)
+ return 0;
- vma = find_vma(child->mm, start);
+ mm = get_task_mm(child);
+ if (!mm)
+ return -EIO;
+
+ down_read(&mm->mmap_sem);
+ vma = find_vma(mm, start);
if (vma && start >= vma->vm_start && start + len <= vma->vm_end)
- return 0;
+ goto out;
- for (sraml = child->mm->context.sram_list; sraml; sraml = sraml->next)
+ for (sraml = mm->context.sram_list; sraml; sraml = sraml->next)
if (start >= (unsigned long)sraml->addr
&& start + len < (unsigned long)sraml->addr + sraml->length)
- return 0;
+ goto out;
- if (start >= FIXED_CODE_START && start + len < FIXED_CODE_END)
- return 0;
+ ret = -EIO;
+out:
+ up_read(&mm->mmap_sem);
+ mmput(mm);
- return -EIO;
+ return ret;
}
/*
next prev parent reply other threads:[~2010-05-27 19:56 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-11 9:36 [PATCH] ptrace: unify FDPIC implementations Mike Frysinger
2010-02-11 9:36 ` Mike Frysinger
2010-02-11 20:24 ` Roland McGrath
2010-02-11 20:24 ` Roland McGrath
2010-02-11 21:07 ` David Howells
2010-02-11 23:26 ` Paul Mundt
2010-02-11 23:26 ` Paul Mundt
2010-02-16 0:30 ` Mike Frysinger
2010-02-16 0:30 ` Mike Frysinger
2010-02-16 1:10 ` Paul Mundt
2010-02-16 1:10 ` Paul Mundt
2010-02-16 8:12 ` Mike Frysinger
2010-02-16 8:12 ` Mike Frysinger
2010-05-21 8:42 ` [PATCH v2] " Mike Frysinger
2010-05-21 8:42 ` Mike Frysinger
2010-05-21 16:26 ` Oleg Nesterov
2010-05-21 16:26 ` Oleg Nesterov
2010-05-21 18:35 ` Roland McGrath
2010-05-21 18:35 ` Roland McGrath
2010-05-22 14:54 ` [PATCH -mm 0/1] (Was: ptrace: unify FDPIC implementations) Oleg Nesterov
2010-05-22 16:53 ` Oleg Nesterov
2010-05-22 14:55 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of Oleg Nesterov
2010-05-22 16:54 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Oleg Nesterov
2010-05-24 4:33 ` [Uclinux-dist-devel] [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix Mike Frysinger
2010-05-24 4:33 ` [Uclinux-dist-devel] [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Mike Frysinger
2010-05-24 8:38 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of Roland McGrath
2010-05-24 8:38 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Roland McGrath
2010-05-24 14:36 ` David Howells
2010-05-24 14:36 ` David Howells
2010-05-24 15:14 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage Oleg Nesterov
2010-05-24 15:14 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Oleg Nesterov
2010-05-24 23:42 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage Roland McGrath
2010-05-24 23:42 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Roland McGrath
2010-05-25 1:29 ` [Uclinux-dist-devel] [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix Mike Frysinger
2010-05-25 1:29 ` [Uclinux-dist-devel] [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Mike Frysinger
2010-05-25 19:11 ` [Uclinux-dist-devel] [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix Roland McGrath
2010-05-25 19:11 ` [Uclinux-dist-devel] [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Roland McGrath
2010-05-25 9:14 ` David Howells
2010-05-25 9:14 ` David Howells
2010-05-25 10:23 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage Oleg Nesterov
2010-05-25 10:23 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Oleg Nesterov
2010-05-25 12:24 ` David Howells
2010-05-25 12:24 ` David Howells
2010-05-25 12:30 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage Oleg Nesterov
2010-05-25 12:30 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Oleg Nesterov
2010-05-25 17:28 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of Mike Frysinger
2010-05-25 17:28 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Mike Frysinger
2010-05-26 12:40 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage Oleg Nesterov
2010-05-26 12:40 ` [PATCH -mm 1/1] ptrace: PTRACE_GETFDPIC: fix the unsafe usage of child->mm Oleg Nesterov
2010-05-27 19:55 ` [PATCH 0/2] blackfin: ptrace mm/sram_list fixes Oleg Nesterov
2010-05-27 19:55 ` Oleg Nesterov
2010-05-27 19:56 ` Oleg Nesterov [this message]
2010-05-27 19:56 ` [PATCH 1/2] blackfin: ptrace: fix the unsafe usage of mm/find_vma in is_user_addr_valid() Oleg Nesterov
2010-05-27 19:56 ` [PATCH 2/2] blackfin: use ->mmap_sem to protect Oleg Nesterov
2010-05-27 19:56 ` [PATCH 2/2] blackfin: use ->mmap_sem to protect mm_context_t->sram_list Oleg Nesterov
2010-05-27 20:21 ` [PATCH 0/2] blackfin: ptrace mm/sram_list fixes Mike Frysinger
2010-05-27 20:21 ` Mike Frysinger
2010-05-28 19:43 ` Oleg Nesterov
2010-05-28 19:43 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100527195609.GB25935@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=lethal@linux-sh.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=roland@redhat.com \
--cc=uclinux-dist-devel@blackfin.uclinux.org \
--cc=vapier.adi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.