Message ID | 20191107195355.80608-1-joel@joelfernandes.org |
---|---|
State | New |
Headers | show |
Series | [1/2] memfd: Fix COW issue on MAP_PRIVATE and F_SEAL_FUTURE_WRITE mappings | expand |
On Thu, 7 Nov 2019 14:53:54 -0500 "Joel Fernandes (Google)" <joel@joelfernandes.org> wrote: > F_SEAL_FUTURE_WRITE has unexpected behavior when used with MAP_PRIVATE: > A private mapping created after the memfd file that gets sealed with > F_SEAL_FUTURE_WRITE loses the copy-on-write at fork behavior, meaning > children and parent share the same memory, even though the mapping is > private. That sounds fairly serious. Should this be backported into -stable kernels?
On Thu, Nov 07, 2019 at 05:00:23PM -0800, Andrew Morton wrote: > On Thu, 7 Nov 2019 14:53:54 -0500 "Joel Fernandes (Google)" <joel@joelfernandes.org> wrote: > > > F_SEAL_FUTURE_WRITE has unexpected behavior when used with MAP_PRIVATE: > > A private mapping created after the memfd file that gets sealed with > > F_SEAL_FUTURE_WRITE loses the copy-on-write at fork behavior, meaning > > children and parent share the same memory, even though the mapping is > > private. > > That sounds fairly serious. Should this be backported into -stable kernels? Yes, it should be. The F_SEAL_FUTURE_WRITE feature was introduced in v5.1 so v5.3.x stable kernels would need a backport. I can submit a backport tomorrow unless we are Ok with stable automatically picking it up (I believe the stable folks "auto select" fixes which should detect this is a fix since I have said it is a fix in the subject line). thanks, - Joel
On Thu, 7 Nov 2019 21:06:14 -0500 Joel Fernandes <joel@joelfernandes.org> wrote: > On Thu, Nov 07, 2019 at 05:00:23PM -0800, Andrew Morton wrote: > > On Thu, 7 Nov 2019 14:53:54 -0500 "Joel Fernandes (Google)" <joel@joelfernandes.org> wrote: > > > > > F_SEAL_FUTURE_WRITE has unexpected behavior when used with MAP_PRIVATE: > > > A private mapping created after the memfd file that gets sealed with > > > F_SEAL_FUTURE_WRITE loses the copy-on-write at fork behavior, meaning > > > children and parent share the same memory, even though the mapping is > > > private. > > > > That sounds fairly serious. Should this be backported into -stable kernels? > > Yes, it should be. I added Fixes: ab3948f58ff84 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") Cc: <stable@vger.kernel.org> > The F_SEAL_FUTURE_WRITE feature was introduced in v5.1 so > v5.3.x stable kernels would need a backport. I can submit a backport tomorrow > unless we are Ok with stable automatically picking it up (I believe the > stable folks "auto select" fixes which should detect this is a fix since I > have said it is a fix in the subject line). The Cc:stable tag should trigger the appropriate actions, assisted by the Fixes:. I doubt if "fix" in the Subject has much effect.
> - * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED > - * read-only mapping, take care to not allow mprotect to revert > - * protections. > + * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as > + * MAP_SHARED and read-only, take care to not allow mprotect to > + * revert protections on such mappings. Do this only for shared > + * mappings. For private mappings, don't need to mask VM_MAYWRITE This adds an > 80 char line.
On Thu, Nov 07, 2019 at 09:06:14PM -0500, Joel Fernandes wrote: > On Thu, Nov 07, 2019 at 05:00:23PM -0800, Andrew Morton wrote: > > On Thu, 7 Nov 2019 14:53:54 -0500 "Joel Fernandes (Google)" <joel@joelfernandes.org> wrote: > > > > > F_SEAL_FUTURE_WRITE has unexpected behavior when used with MAP_PRIVATE: > > > A private mapping created after the memfd file that gets sealed with > > > F_SEAL_FUTURE_WRITE loses the copy-on-write at fork behavior, meaning > > > children and parent share the same memory, even though the mapping is > > > private. > > > > That sounds fairly serious. Should this be backported into -stable kernels? > > Yes, it should be. The F_SEAL_FUTURE_WRITE feature was introduced in v5.1 so > v5.3.x stable kernels would need a backport. I can submit a backport tomorrow > unless we are Ok with stable automatically picking it up (I believe the > stable folks "auto select" fixes which should detect this is a fix since I > have said it is a fix in the subject line). Never rely on "auto select" to pick up a patch for stable if you already know it should go to stable. Just mark it as such, or tell stable@vger after the fact. thanks, greg k-h
On Fri, Nov 08, 2019 at 07:37:15AM +0100, Greg KH wrote: > On Thu, Nov 07, 2019 at 09:06:14PM -0500, Joel Fernandes wrote: > > On Thu, Nov 07, 2019 at 05:00:23PM -0800, Andrew Morton wrote: > > > On Thu, 7 Nov 2019 14:53:54 -0500 "Joel Fernandes (Google)" <joel@joelfernandes.org> wrote: > > > > > > > F_SEAL_FUTURE_WRITE has unexpected behavior when used with MAP_PRIVATE: > > > > A private mapping created after the memfd file that gets sealed with > > > > F_SEAL_FUTURE_WRITE loses the copy-on-write at fork behavior, meaning > > > > children and parent share the same memory, even though the mapping is > > > > private. > > > > > > That sounds fairly serious. Should this be backported into -stable kernels? > > > > Yes, it should be. The F_SEAL_FUTURE_WRITE feature was introduced in v5.1 so > > v5.3.x stable kernels would need a backport. I can submit a backport tomorrow > > unless we are Ok with stable automatically picking it up (I believe the > > stable folks "auto select" fixes which should detect this is a fix since I > > have said it is a fix in the subject line). > > Never rely on "auto select" to pick up a patch for stable if you already > know it should go to stable. Just mark it as such, or tell stable@vger > after the fact. Sure, agreed. Thanks Andrew for adding the tags! thanks, - Joel
On Thu, Nov 07, 2019 at 10:33:08PM -0800, Christoph Hellwig wrote: > > - * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED > > - * read-only mapping, take care to not allow mprotect to revert > > - * protections. > > + * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as > > + * MAP_SHARED and read-only, take care to not allow mprotect to > > + * revert protections on such mappings. Do this only for shared > > + * mappings. For private mappings, don't need to mask VM_MAYWRITE > > This adds an > 80 char line. Oh, true. Sorry. Andrew I hate to ask you but since you took the patch already, could you just the comment for the character limit in the one you applied? thanks, - Joel
diff --git a/mm/shmem.c b/mm/shmem.c index 447fd575587c..6ac5e867ef13 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2214,11 +2214,14 @@ static int shmem_mmap(struct file *file, struct vm_area_struct *vma) return -EPERM; /* - * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED - * read-only mapping, take care to not allow mprotect to revert - * protections. + * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask VM_MAYWRITE + * as we still want them to be COW-writable. */ - vma->vm_flags &= ~(VM_MAYWRITE); + if (vma->vm_flags & VM_SHARED) + vma->vm_flags &= ~(VM_MAYWRITE); } file_accessed(file);