linux-user: Ensure mmap_min_addr is non-zero

Message ID	20200724212314.545877-1-richard.henderson@linaro.org
State	Superseded
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; From: Richard Henderson <richard.henderson@linaro.org> To: qemu-devel@nongnu.org Subject: [PATCH] linux-user: Ensure mmap_min_addr is non-zero Date: Fri, 24 Jul 2020 14:23:14 -0700 Message-Id: <20200724212314.545877-1-richard.henderson@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::1042; envelope-from=richard.henderson@linaro.org; helo=mail-pj1-x1042.google.com Precedence: list Cc: alex.bennee@linaro.org, laurent@vivier.eu, John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Series	linux-user: Ensure mmap_min_addr is non-zero \| expand linux-user: Ensure mmap_min_addr is non-zero

Message ID

20200724212314.545877-1-richard.henderson@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: domain of
	qemu-devel-bounces+patch=linaro.org@nongnu.org designates
	209.51.188.17 as permitted sender) client-ip=209.51.188.17; 
From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PATCH] linux-user: Ensure mmap_min_addr is non-zero
Date: Fri, 24 Jul 2020 14:23:14 -0700
Message-Id: <20200724212314.545877-1-richard.henderson@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::1042;
	envelope-from=richard.henderson@linaro.org;
	helo=mail-pj1-x1042.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
	SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: alex.bennee@linaro.org, laurent@vivier.eu,
	John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

Series

linux-user: Ensure mmap_min_addr is non-zero | expand

Commit Message

Richard Henderson July 24, 2020, 9:23 p.m. UTC

When the chroot does not have /proc mounted, we can read neither
/proc/sys/vm/mmap_min_addr nor /proc/sys/maps.

The enforcement of mmap_min_addr in the host kernel is done by
the security module, and so does not apply to processes owned
by root.  Which leads pgd_find_hole_fallback to succeed in probing
a reservation at address 0.  Which confuses pgb_reserved_va to
believe that guest_base has not actually been initialized.

We don't actually want NULL addresses to become accessible, so
make sure that mmap_min_addr is initialized with a non-zero value.

Buglink: https://bugs.launchpad.net/qemu/+bug/1888728
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

---
 linux-user/main.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

-- 
2.25.1

Comments

John Paul Adrian Glaubitz July 27, 2020, 11:09 a.m. UTC | #1

Hi!

On 7/24/20 11:23 PM, Richard Henderson wrote:
> When the chroot does not have /proc mounted, we can read neither

> /proc/sys/vm/mmap_min_addr nor /proc/sys/maps.

> 

> The enforcement of mmap_min_addr in the host kernel is done by

> the security module, and so does not apply to processes owned

> by root.  Which leads pgd_find_hole_fallback to succeed in probing

> a reservation at address 0.  Which confuses pgb_reserved_va to

> believe that guest_base has not actually been initialized.

> 

> We don't actually want NULL addresses to become accessible, so

> make sure that mmap_min_addr is initialized with a non-zero value.

> 

> Buglink: https://bugs.launchpad.net/qemu/+bug/1888728

> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

> ---

>  linux-user/main.c | 16 ++++++++++++++--

>  1 file changed, 14 insertions(+), 2 deletions(-)

> 

> diff --git a/linux-user/main.c b/linux-user/main.c

> index 3597e99bb1..75c9785157 100644

> --- a/linux-user/main.c

> +++ b/linux-user/main.c

> @@ -758,14 +758,26 @@ int main(int argc, char **argv, char **envp)

>  

>          if ((fp = fopen("/proc/sys/vm/mmap_min_addr", "r")) != NULL) {

>              unsigned long tmp;

> -            if (fscanf(fp, "%lu", &tmp) == 1) {

> +            if (fscanf(fp, "%lu", &tmp) == 1 && tmp != 0) {

>                  mmap_min_addr = tmp;

> -                qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n", mmap_min_addr);

> +                qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n",

> +                              mmap_min_addr);

>              }

>              fclose(fp);

>          }

>      }

>  

> +    /*

> +     * We prefer to not make NULL pointers accessible to QEMU.

> +     * If we're in a chroot with no /proc, fall back to 1 page.

> +     */

> +    if (mmap_min_addr == 0) {

> +        mmap_min_addr = qemu_host_page_size;

> +        qemu_log_mask(CPU_LOG_PAGE,

> +                      "host mmap_min_addr=0x%lx (fallback)\n",

> +                      mmap_min_addr);

> +    }

> +

>      /*

>       * Prepare copy of argv vector for target.

>       */

> 


This fixes the problem for me, therefore:

Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>


Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Laurent Vivier July 27, 2020, 11:19 a.m. UTC | #2

Le 24/07/2020 à 23:23, Richard Henderson a écrit :
> When the chroot does not have /proc mounted, we can read neither

> /proc/sys/vm/mmap_min_addr nor /proc/sys/maps.

> 

> The enforcement of mmap_min_addr in the host kernel is done by

> the security module, and so does not apply to processes owned

> by root.  Which leads pgd_find_hole_fallback to succeed in probing

> a reservation at address 0.  Which confuses pgb_reserved_va to

> believe that guest_base has not actually been initialized.

> 

> We don't actually want NULL addresses to become accessible, so

> make sure that mmap_min_addr is initialized with a non-zero value.

> 

> Buglink: https://bugs.launchpad.net/qemu/+bug/1888728

> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

> ---

>  linux-user/main.c | 16 ++++++++++++++--

>  1 file changed, 14 insertions(+), 2 deletions(-)

> 


Richard, do you want to add this fix in one of your branches PR?

In this case:
Acked-by: Laurent Vivier <laurent@vivier.eu>


Otherwise I can prepare a small one for linux-user, adding one or two
fixes...

Thanks,
Laurent

Richard Henderson July 27, 2020, 7:41 p.m. UTC | #3

On 7/27/20 4:19 AM, Laurent Vivier wrote:
> Le 24/07/2020 à 23:23, Richard Henderson a écrit :

>> When the chroot does not have /proc mounted, we can read neither

>> /proc/sys/vm/mmap_min_addr nor /proc/sys/maps.

>>

>> The enforcement of mmap_min_addr in the host kernel is done by

>> the security module, and so does not apply to processes owned

>> by root.  Which leads pgd_find_hole_fallback to succeed in probing

>> a reservation at address 0.  Which confuses pgb_reserved_va to

>> believe that guest_base has not actually been initialized.

>>

>> We don't actually want NULL addresses to become accessible, so

>> make sure that mmap_min_addr is initialized with a non-zero value.

>>

>> Buglink: https://bugs.launchpad.net/qemu/+bug/1888728

>> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

>> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

>> ---

>>  linux-user/main.c | 16 ++++++++++++++--

>>  1 file changed, 14 insertions(+), 2 deletions(-)

>>

> 

> Richard, do you want to add this fix in one of your branches PR?


I don't have anything queued at the moment.  I thought I would be able to
convince Alex to add it to his misc queue, but he sent that this morning.

> In this case:

> Acked-by: Laurent Vivier <laurent@vivier.eu>

> 

> Otherwise I can prepare a small one for linux-user, adding one or two

> fixes...


Please go ahead.


r~

Laurent Vivier July 27, 2020, 8:03 p.m. UTC | #4

Le 24/07/2020 à 23:23, Richard Henderson a écrit :
> When the chroot does not have /proc mounted, we can read neither

> /proc/sys/vm/mmap_min_addr nor /proc/sys/maps.

> 

> The enforcement of mmap_min_addr in the host kernel is done by

> the security module, and so does not apply to processes owned

> by root.  Which leads pgd_find_hole_fallback to succeed in probing

> a reservation at address 0.  Which confuses pgb_reserved_va to

> believe that guest_base has not actually been initialized.

> 

> We don't actually want NULL addresses to become accessible, so

> make sure that mmap_min_addr is initialized with a non-zero value.

> 

> Buglink: https://bugs.launchpad.net/qemu/+bug/1888728

> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

> ---

>  linux-user/main.c | 16 ++++++++++++++--

>  1 file changed, 14 insertions(+), 2 deletions(-)

> 

> diff --git a/linux-user/main.c b/linux-user/main.c

> index 3597e99bb1..75c9785157 100644

> --- a/linux-user/main.c

> +++ b/linux-user/main.c

> @@ -758,14 +758,26 @@ int main(int argc, char **argv, char **envp)

>  

>          if ((fp = fopen("/proc/sys/vm/mmap_min_addr", "r")) != NULL) {

>              unsigned long tmp;

> -            if (fscanf(fp, "%lu", &tmp) == 1) {

> +            if (fscanf(fp, "%lu", &tmp) == 1 && tmp != 0) {

>                  mmap_min_addr = tmp;

> -                qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n", mmap_min_addr);

> +                qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n",

> +                              mmap_min_addr);

>              }

>              fclose(fp);

>          }

>      }

>  

> +    /*

> +     * We prefer to not make NULL pointers accessible to QEMU.

> +     * If we're in a chroot with no /proc, fall back to 1 page.

> +     */

> +    if (mmap_min_addr == 0) {

> +        mmap_min_addr = qemu_host_page_size;

> +        qemu_log_mask(CPU_LOG_PAGE,

> +                      "host mmap_min_addr=0x%lx (fallback)\n",

> +                      mmap_min_addr);

> +    }

> +

>      /*

>       * Prepare copy of argv vector for target.

>       */

> 


Applied to my linux-user-for-5.1 branch.

Thanks,
Laurent

diff --git a/linux-user/main.c b/linux-user/main.c
index 3597e99bb1..75c9785157 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -758,14 +758,26 @@  int main(int argc, char **argv, char **envp)
 
         if ((fp = fopen("/proc/sys/vm/mmap_min_addr", "r")) != NULL) {
             unsigned long tmp;
-            if (fscanf(fp, "%lu", &tmp) == 1) {
+            if (fscanf(fp, "%lu", &tmp) == 1 && tmp != 0) {
                 mmap_min_addr = tmp;
-                qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n", mmap_min_addr);
+                qemu_log_mask(CPU_LOG_PAGE, "host mmap_min_addr=0x%lx\n",
+                              mmap_min_addr);
             }
             fclose(fp);
         }
     }
 
+    /*
+     * We prefer to not make NULL pointers accessible to QEMU.
+     * If we're in a chroot with no /proc, fall back to 1 page.
+     */
+    if (mmap_min_addr == 0) {
+        mmap_min_addr = qemu_host_page_size;
+        qemu_log_mask(CPU_LOG_PAGE,
+                      "host mmap_min_addr=0x%lx (fallback)\n",
+                      mmap_min_addr);
+    }
+
     /*
      * Prepare copy of argv vector for target.
      */

linux-user: Ensure mmap_min_addr is non-zero

Commit Message

Comments

Patch