From: Mateusz Guzik <mguzik@redhat.com>
To: Anshuman Khandual <anshuman.linux@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Jarod Wilson <jarod@redhat.com>,
Jan Stancek <jstancek@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 1/2] prctl: take mmap sem for writing to protect against others
Date: Wed, 6 Jan 2016 11:02:48 +0100 [thread overview]
Message-ID: <20160106100247.GB10366@mguzik> (raw)
In-Reply-To: <CAKeScWgfg2G6q7ffBLGi2R_xHcp+8NbYEQ7t73pY9oDKWgeqog@mail.gmail.com>
On Wed, Jan 06, 2016 at 03:05:09PM +0530, Anshuman Khandual wrote:
> On Wed, Jan 6, 2016 at 10:32 AM, Mateusz Guzik <mguzik@redhat.com> wrote:
> > The code was taking the semaphore for reading, which does not protect
> > against readers nor concurrent modifications.
>
> (down/up)_read does not protect against concurrent readers ?
>
Maybe wording could be improved.
The point is, prctl is modifying various fields while having the
semaphore for reading. Other code, presumably wanting to read said
fields, can take semaphore for reading itsef in order to get a stable
copy. Except turns out it does not help here. Since the both the reader
and the writer did that, the reader can read stuff as it is changing.
> >
> > The problem could cause a sanity checks to fail in procfs's cmdline
> > reader, resulting in an OOPS.
> >
>
> Can you explain this a bit and may be give some examples ?
>
Given the above, let's consider a program moving around arg_start +
arg_end by few bytes while proc_pid_cmdline_read is being executed.
proc_pid_cmdline_read does:
down_read(&mm->mmap_sem);
arg_start = mm->arg_start;
arg_end = mm->arg_end;
env_start = mm->env_start;
env_end = mm->env_end;
up_read(&mm->mmap_sem);
Since the writer also has the semaphore only for reading, this function
can proceed to read stuff as it is being modified. In particular it can
read arg_start *prior* to modification and arg_end *after*. This trips
up BUG_ON(arg_start > arg_end).
That is, for the sake of argument, if the code is changing the pair from
0x2000 & 0x2020 to 0x1000 & 0x1020, someone else may read arg_start
0x2000 and arg_end 0x1020.
This code should showcase the problem:
http://people.redhat.com/~mguzik/misc/prctl.c
It is somewhat crude, you may ned to adjust hardcoded values for your
binary.
> > Note that some functions perform an unlocked read of various mm fields,
> > but they seem to be fine despite possible modificaton.
>
> Those need to be fixed as well ?
>
As stated earlier, these can live without changes, but that does not
look like a good idea.
--
Mateusz Guzik
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-01-06 10:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 5:02 [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl Mateusz Guzik
2016-01-06 5:02 ` [PATCH 1/2] prctl: take mmap sem for writing to protect against others Mateusz Guzik
2016-01-06 9:17 ` Anshuman Khandual
2016-01-06 9:35 ` Anshuman Khandual
2016-01-06 10:02 ` Mateusz Guzik [this message]
2016-01-06 5:02 ` [PATCH 2/2] proc read mm's {arg,env}_{start,end} with mmap semaphore taken Mateusz Guzik
2016-01-06 9:44 ` Anshuman Khandual
2016-01-06 19:43 ` Mateusz Guzik
2016-01-07 9:52 ` [PATCH 0/2] fix up {arg,env}_{start,end} vs prctl Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160106100247.GB10366@mguzik \
--to=mguzik@redhat.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.linux@gmail.com \
--cc=gorcunov@openvz.org \
--cc=jarod@redhat.com \
--cc=jstancek@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).