From: Vladimir Murzin <murzin.v@gmail.com>
To: Russell King - ARM Linux <linux@arm.linux.org.uk>
Cc: linux-arch@vger.kernel.org, tglx@linutronix.de,
davem@davemloft.net, lethal@linux-sh.org
Subject: Re: [PATCH 0/6] get rid of extra check for TASK_SIZE in get_unmapped_area
Date: Wed, 9 May 2012 21:56:03 +0400 [thread overview]
Message-ID: <20120509175557.GA2823@pinguin> (raw)
In-Reply-To: <20120509162657.GC10241@n2100.arm.linux.org.uk>
On Wed, May 09, 2012 at 05:26:57PM +0100, Russell King - ARM Linux wrote:
> On Tue, May 08, 2012 at 06:40:16PM +0400, Vladimir Murzin wrote:
> > From: Vladimir Murzin <murzin.v@gmail>
> >
> > The current get_unmapped_area code calls the f_ops->get_unmapped_area or
> > the arch's one (via the mm) only when check for TASK_SIZE is passed. However,
> > generic code and some arches do the same check in their a_g_u_a implementation.
> >
> > This series of patches fix the check order for TASK_SIZE in archs'
> > get_unmapped_area() implementations, and then removes extra check in
> > high-level get_unmapped_area().
>
> Do we even need this check in arch code? AFAICS it's already checked in
> get_unmapped_area(), and this will be called prior to any
> arch_get_unmapped_area() implementation. Given that this is a potential
> security issue, please check my analysis of this.
>
> unsigned long
> get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
> unsigned long pgoff, unsigned long flags)
> {
> ...
> /* Careful about overflows.. */
> if (len > TASK_SIZE)
> return -ENOMEM;
>
> get_area = current->mm->get_unmapped_area;
> if (file && file->f_op && file->f_op->get_unmapped_area)
> get_area = file->f_op->get_unmapped_area;
Thanks for analysis.
Most of arches do checking for (len > TASK_SIZE) in their a_g_u_a or in
generic one. However, mips, alpha, sparc and ia64 at least do this
checking in a slightly different way.
So, for arches which use generic implementation or have no any special
case
/* Careful about overflows.. */
if (len > TASK_SIZE)
return -ENOMEM;
get_area = current->mm->get_unmapped_area;
is expanded into
/* Careful about overflows.. */
if (len > TASK_SIZE)
return -ENOMEM;
/* there is arch_get_unmapped_area started */
if (len > TASK_SIZE)
return -ENOMEM;
/* other stuff in arch_get_unmapped_area */
On the other hand, for arches which have to handle special case for
length checking test for (len > TASK_SIZE) has no sense.
To avoid security issue checking for length should be done
first. Unfortunately, not all arches follow this rule and test in
get_unmapped_area() doesn't cover some cases. For instanse, sparc32 do
checking like
unsigned long arch_get_unmapped_area(struct file *filp, unsigned long
addr, unsigned long len, unsigned long pgoff, unsigned long flags)
{
struct vm_area_struct * vmm;
if (flags & MAP_FIXED) {
/* We do not accept a shared mapping if it would violate
* cache aliasing constraints.
*/
if ((flags & MAP_SHARED) &&
((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
return -EINVAL;
return addr;
}
/* See asm-sparc/uaccess.h */
if (len > TASK_SIZE - PAGE_SIZE)
return -ENOMEM;
...
It seems we could be successful in request a page at fixed address
(TASK_SIZE - PAGE_SIZE) despite the fact that it isn't desirable.
Best wishes
Vladimir Murzin
next prev parent reply other threads:[~2012-05-09 17:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-08 14:40 [PATCH 0/6] get rid of extra check for TASK_SIZE in get_unmapped_area Vladimir Murzin
2012-05-08 14:40 ` [PATCH 1/6] get_unmapped_area checks for TASK_SIZE before MAP_FIXED on arm Vladimir Murzin
2012-05-08 14:40 ` [PATCH 2/6] get_unmapped_area checks for TASK_SIZE before MAP_FIXED on sh Vladimir Murzin
2012-05-08 14:40 ` [PATCH 3/6] get_unmapped_area checks for TASK_SIZE before MAP_FIXED on sparc32 Vladimir Murzin
2012-05-08 16:27 ` Sam Ravnborg
2012-05-09 8:07 ` Vladimir Murzin
2012-05-09 16:18 ` Sam Ravnborg
2012-05-09 18:04 ` Vladimir Murzin
2012-05-08 17:00 ` David Miller
2012-05-08 14:40 ` [PATCH 4/6] get_unmapped_area checks for TASK_SIZE before MAP_FIXED on sparc64 Vladimir Murzin
2012-05-08 17:00 ` David Miller
2012-05-08 14:40 ` [PATCH 5/6] get_unmapped_area checks for TASK_SIZE before MAP_FIXED on x86_64 Vladimir Murzin
2012-05-08 14:40 ` [PATCH 6/6] get_unmapped_area remove extra check for TASK_SIZE Vladimir Murzin
2012-05-09 16:26 ` [PATCH 0/6] get rid of extra check for TASK_SIZE in get_unmapped_area Russell King - ARM Linux
2012-05-09 17:56 ` Vladimir Murzin [this message]
2012-05-09 18:07 ` Russell King - ARM Linux
2012-05-10 3:01 ` Vladimir Murzin
2012-05-10 7:55 ` Russell King - ARM Linux
2012-05-10 18:08 ` Vladimir Murzin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120509175557.GA2823@pinguin \
--to=murzin.v@gmail.com \
--cc=davem@davemloft.net \
--cc=lethal@linux-sh.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.