From: Jann Horn <jannh@google.com>
To: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Peter Xu <peterx@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>,
Pedro Falcato <pfalcato@suse.de>,
Rik van Riel <riel@surriel.com>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v3 09/10] mm/mremap: permit mremap() move of multiple VMAs
Date: Fri, 25 Jul 2025 19:11:49 +0200 [thread overview]
Message-ID: <CAG48ez0KjHHAWsJo76GuuYYaFCH=3n7axN2ryxy7-Vabp5JA-Q@mail.gmail.com> (raw)
In-Reply-To: <8f41e72b0543953d277e96d5e67a52f287cdbac3.1752232673.git.lorenzo.stoakes@oracle.com>
On Fri, Jul 11, 2025 at 1:38 PM Lorenzo Stoakes
<lorenzo.stoakes@oracle.com> wrote:
> Note that any failures encountered will result in a partial move. Since an
> mremap() can fail at any time, this might result in only some of the VMAs
> being moved.
>
> Note that failures are very rare and typically require an out of a memory
> condition or a mapping limit condition to be hit, assuming the VMAs being
> moved are valid.
Hrm. So if userspace tries to move a series of VMAs with mremap(), and
the operation fails, and userspace assumes the old syscall semantics,
userspace could assume that its memory is still at the old address,
when that's actually not true; and if userspace tries to access it
there, userspace UAF happens?
If we were explicitly killing the userspace process on this error
path, that'd be fine; but since we're just returning an error, we're
kind of making userspace believe that the move hasn't happened? (You
might notice that I'm generally in favor of killing userspace
processes when userspace does sufficiently weird things.)
I guess it's not going to happen particularly often since mremap()
with MREMAP_FIXED is a weirdly specific operation in the first place;
normal users of mremap() (like libc's realloc()) wouldn't have a
reason to use it...
next prev parent reply other threads:[~2025-07-25 17:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-11 11:38 [PATCH v3 00/10] mm/mremap: permit mremap() move of multiple VMAs Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 01/10] mm/mremap: perform some simple cleanups Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 02/10] mm/mremap: refactor initial parameter sanity checks Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 03/10] mm/mremap: put VMA check and prep logic into helper function Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 04/10] mm/mremap: cleanup post-processing stage of mremap Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 05/10] mm/mremap: use an explicit uffd failure path for mremap Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 06/10] mm/mremap: check remap conditions earlier Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 07/10] mm/mremap: move remap_is_valid() into check_prep_vma() Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 08/10] mm/mremap: clean up mlock populate behaviour Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 09/10] mm/mremap: permit mremap() move of multiple VMAs Lorenzo Stoakes
2025-07-11 13:34 ` Vlastimil Babka
2025-07-11 13:49 ` Lorenzo Stoakes
2025-07-11 14:14 ` Lorenzo Stoakes
2025-07-16 19:36 ` Lorenzo Stoakes
2025-07-25 17:11 ` Jann Horn [this message]
2025-07-25 17:27 ` Lorenzo Stoakes
2025-07-25 19:10 ` Jann Horn
2025-07-25 19:59 ` Lorenzo Stoakes
2025-07-11 11:38 ` [PATCH v3 10/10] tools/testing/selftests: extend mremap_test to test multi-VMA mremap Lorenzo Stoakes
2025-07-11 13:45 ` [PATCH v3 00/10] mm/mremap: permit mremap() move of multiple VMAs Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG48ez0KjHHAWsJo76GuuYYaFCH=3n7axN2ryxy7-Vabp5JA-Q@mail.gmail.com' \
--to=jannh@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=peterx@redhat.com \
--cc=pfalcato@suse.de \
--cc=riel@surriel.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).