[PATCH] hugetlbfs private mappings.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] hugetlbfs private mappings.
@ 2004-07-11 12:59 Oleg Nesterov
  2004-07-12  0:15 ` William Lee Irwin III
  0 siblings, 1 reply; 4+ messages in thread
From: Oleg Nesterov @ 2004-07-11 12:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Andrew Morton, William Lee Irwin III, David Gibson

Hello.

Hugetlbfs silently coerce private mappings of hugetlb files
into shared ones. So private writable mapping has MAP_SHARED
semantics. I think, such mappings should be disallowed.

First, such behavior allows open hugetlbfs file O_RDONLY, and
overwrite it via mmap(PROT_READ|PROT_WRITE, MAP_PRIVATE), so
it is security bug.

Second, private writable mmap() should fail just because kernel
does not support this.

I beleive, it is ok to allow private readonly hugetlb mappings,
sys_mprotect() does not work with hugetlb vmas.

There is another problem. Hugetlb mapping is always prefaulted,
pages allocated at mmap() time. So even readonly mapping allows
to enlarge the size of the hugetlbfs file, and steal huge pages
without appropriative permissions.

Patch on top of vm_pgoff fixes, see
http://marc.theaimsgroup.com/?l=linux-kernel&m=108938233708584

Oleg.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>

--- 2.6.7-mm7/fs/hugetlbfs/inode.c.pgoff	2004-07-11 15:32:09.000000000 +0400
+++ 2.6.7-mm7/fs/hugetlbfs/inode.c	2004-07-11 16:09:27.000000000 +0400
@@ -52,6 +52,9 @@ static int hugetlbfs_file_mmap(struct fi
 	loff_t len, vma_len;
 	int ret;

+	if ((vma->vm_flags & (VM_MAYSHARE | VM_WRITE)) == VM_WRITE)
+		return -EINVAL;
+
 	if (vma->vm_pgoff & (HPAGE_SIZE / PAGE_SIZE - 1))
 		return -EINVAL;

@@ -70,10 +73,19 @@ static int hugetlbfs_file_mmap(struct fi
 	file_accessed(file);
 	vma->vm_flags |= VM_HUGETLB | VM_RESERVED;
 	vma->vm_ops = &hugetlb_vm_ops;
+
+	ret = -ENOMEM;
+	len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
+	if (!(vma->vm_flags & VM_WRITE) && len > inode->i_size)
+		goto out;
+
 	ret = hugetlb_prefault(mapping, vma);
-	len = vma_len +	((loff_t)vma->vm_pgoff << PAGE_SHIFT);
-	if (ret == 0 && inode->i_size < len)
+	if (ret)
+		goto out;
+
+	if (inode->i_size < len)
 		inode->i_size = len;
+out:
 	up(&inode->i_sem);

 	return ret;

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hugetlbfs private mappings.
  2004-07-11 12:59 [PATCH] hugetlbfs private mappings Oleg Nesterov
@ 2004-07-12  0:15 ` William Lee Irwin III
  2004-07-12 12:11   ` Oleg Nesterov
  0 siblings, 1 reply; 4+ messages in thread
From: William Lee Irwin III @ 2004-07-12  0:15 UTC (permalink / raw)
  To: Oleg Nesterov; +Cc: linux-kernel, Andrew Morton, David Gibson

On Sun, Jul 11, 2004 at 04:59:38PM +0400, Oleg Nesterov wrote:
> Hugetlbfs silently coerce private mappings of hugetlb files
> into shared ones. So private writable mapping has MAP_SHARED
> semantics. I think, such mappings should be disallowed.
> First, such behavior allows open hugetlbfs file O_RDONLY, and
> overwrite it via mmap(PROT_READ|PROT_WRITE, MAP_PRIVATE), so
> it is security bug.
> Second, private writable mmap() should fail just because kernel
> does not support this.
> I beleive, it is ok to allow private readonly hugetlb mappings,
> sys_mprotect() does not work with hugetlb vmas.
> There is another problem. Hugetlb mapping is always prefaulted,
> pages allocated at mmap() time. So even readonly mapping allows
> to enlarge the size of the hugetlbfs file, and steal huge pages
> without appropriative permissions.
> Patch on top of vm_pgoff fixes, see
> http://marc.theaimsgroup.com/?l=linux-kernel&m=108938233708584

This probably doesn't break anything worth caring about, but it may
make people happier to just force MAP_SHARED on.


-- wli

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hugetlbfs private mappings.
  2004-07-12  0:15 ` William Lee Irwin III
@ 2004-07-12 12:11   ` Oleg Nesterov
  2004-07-12 19:35     ` William Lee Irwin III
  0 siblings, 1 reply; 4+ messages in thread
From: Oleg Nesterov @ 2004-07-12 12:11 UTC (permalink / raw)
  To: William Lee Irwin III; +Cc: linux-kernel, Andrew Morton, David Gibson

William Lee Irwin III wrote:
> 
> On Sun, Jul 11, 2004 at 04:59:38PM +0400, Oleg Nesterov wrote:
> > Hugetlbfs silently coerce private mappings of hugetlb files
> > into shared ones. So private writable mapping has MAP_SHARED
> > semantics. I think, such mappings should be disallowed.
> 
> This probably doesn't break anything worth caring about, but it may
> make people happier to just force MAP_SHARED on.

Yes, it was my initial intent. Andrew Morton pointed out, that
this could break existing applications.

Oleg.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hugetlbfs private mappings.
  2004-07-12 12:11   ` Oleg Nesterov
@ 2004-07-12 19:35     ` William Lee Irwin III
  0 siblings, 0 replies; 4+ messages in thread
From: William Lee Irwin III @ 2004-07-12 19:35 UTC (permalink / raw)
  To: Oleg Nesterov; +Cc: linux-kernel, Andrew Morton, David Gibson

William Lee Irwin III wrote:
>> This probably doesn't break anything worth caring about, but it may
>> make people happier to just force MAP_SHARED on.

On Mon, Jul 12, 2004 at 04:11:18PM +0400, Oleg Nesterov wrote:
> Yes, it was my initial intent. Andrew Morton pointed out, that
> this could break existing applications.

I see; I thought the concern went the other direction. All's well, then.


-- wli

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-07-12 19:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-11 12:59 [PATCH] hugetlbfs private mappings Oleg Nesterov
2004-07-12  0:15 ` William Lee Irwin III
2004-07-12 12:11   ` Oleg Nesterov
2004-07-12 19:35     ` William Lee Irwin III

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox