From: Marc Reisner <reisner.marc@gmail.com>
To: wangkefeng.wang@huawei.com
Cc: akpm@linux-foundation.org, david@redhat.com, linux-mm@kvack.org,
omosnace@redhat.com, paul@paul-moore.com, peterz@infradead.org,
selinux@vger.kernel.org, stephen.smalley.work@gmail.com
Subject: Re: [PATCH v3 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap()
Date: Wed, 7 Aug 2024 21:26:56 +0000 [thread overview]
Message-ID: <ZrPmoLKJEf1wiFmM@marcreisner.com> (raw)
In-Reply-To: <ba8477ed-b7a1-4833-a01a-b7d43ddb47b8@huawei.com>
It looks like this issue is still not fixed. There has been some
investigation on going in this Bugzilla for Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2254434
The behavior we are seeing is that when a process has no heap and
mmap(2) is called with MAP_PRIVATE | MAP_ANONYMOUS, it allocates memory
on the heap.
If the address space returned by mmap(2) is later on made executable
with mprotect(2), that triggers an execheap avc.
We have a fairly simple reproducer. We widdled it down from picking an
address to pass to mmap(2) using getrandom(2) to using the same address
every time. Sometimes it triggers the behavior, sometimes it does not.
We also observe that disabling ASLR via sysctl
kernel.randomize_va_space=0 works around the issue, with obvious
caveats.
Here is a reproducer, which raises SIGSTOP so that you can analyze
/proc/<pid>/maps. It allocates a 512 MB address space and then attempts
to give it execute permissions. Running it multiple times will
eventually trigger the behavior.
#include <stdint.h>
#include <unistd.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/random.h>
#include <signal.h>
int main(void)
{
uintptr_t raw_addr = 0x25085000;
int length = 512 * 1024 * 1024;
void* pointer = mmap((void *)raw_addr, length, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (!pointer)
{
raise(SIGSTOP);
return 1;
}
if (mprotect(pointer, length, PROT_READ | PROT_WRITE | PROT_EXEC) == -1)
{
raise(SIGSTOP);
return 1;
}
return 0;
}
As far as impact goes, this is mostly causing Chromium/Electron based
applications to fail randomly, but I believe other applications such as
wine-preloader (which I do not think is based on Chromium) are also
affected.
This has been reproduced on kernels >= 6.6.
In reviewing the code, my best guess is that this is caused by the
scenario where brk == start_brk not being handled, though I am not
expert enough in kernel code to know. If the start address allocated
by mmap is before the starting program break, and the end address is
after the starting program break, then the avc will trigger. However,
I don't know how mmap deals with determining an address and if it takes
into account the program break, or if calling brk(2) later on will just
pick a new location.
next prev parent reply other threads:[~2024-08-07 21:26 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 5:00 [PATCH v3 0/4] mm: convert to vma_is_initial_heap/stack() Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` [PATCH v3 1/4] mm: factor out VMA stack and heap checks Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` [PATCH v3 2/4] drm/amdkfd: use vma_is_initial_stack() and vma_is_initial_heap() Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` [PATCH v3 3/4] selinux: " Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-31 14:26 ` Fwd: " Stephen Smalley
2023-07-31 16:19 ` Paul Moore
[not found] ` <CAEjxPJ6iFRZUetSvMgZvq_327U_JZ_w9s=gFccKgJhfCt8bqNg@mail.gmail.com>
[not found] ` <CAHC9VhRB1uVVWFUgnMZ1iwCD_A0mEX2Xhn79qTxuNKTzisWULg@mail.gmail.com>
2023-12-06 14:22 ` Ondrej Mosnacek
2023-12-06 20:47 ` Paul Moore
2023-12-07 4:50 ` Kefeng Wang
2023-12-07 8:37 ` Ondrej Mosnacek
2023-12-07 9:23 ` Kefeng Wang
2024-08-07 21:26 ` Marc Reisner [this message]
2024-08-08 1:10 ` Paul Moore
2024-08-08 6:43 ` Kefeng Wang
2024-08-08 11:09 ` Kefeng Wang
2024-08-08 11:41 ` Stephen Smalley
2024-08-08 13:12 ` Kefeng Wang
2024-08-08 15:03 ` Marc Reisner
2024-08-08 18:00 ` Liam R. Howlett
2024-08-08 19:35 ` Marc Reisner
2024-08-08 20:40 ` Paul Moore
2023-07-28 5:00 ` [PATCH v3 4/4] perf/core: " Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-28 5:00 ` Kefeng Wang
2023-07-31 13:47 ` [PATCH v3 0/4] mm: convert to vma_is_initial_heap/stack() Peter Zijlstra
2023-07-31 13:47 ` Peter Zijlstra
2023-07-31 13:47 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZrPmoLKJEf1wiFmM@marcreisner.com \
--to=reisner.marc@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=linux-mm@kvack.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=peterz@infradead.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.