From patchwork Wed Dec 9 03:21:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Minchan Kim X-Patchwork-Id: 11960205 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43528C4361B for ; Wed, 9 Dec 2020 03:22:07 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id BF8E823A22 for ; Wed, 9 Dec 2020 03:22:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BF8E823A22 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 0BAE36B0096; Tue, 8 Dec 2020 22:22:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 045286B0098; Tue, 8 Dec 2020 22:22:05 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E00796B0099; Tue, 8 Dec 2020 22:22:05 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id C543E6B0096 for ; Tue, 8 Dec 2020 22:22:05 -0500 (EST) Received: from smtpin17.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 87C581EE6 for ; Wed, 9 Dec 2020 03:22:05 +0000 (UTC) X-FDA: 77572295010.17.drink95_52109bb273ec Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin17.hostedemail.com (Postfix) with ESMTP id 6FE17180D0180 for ; Wed, 9 Dec 2020 03:22:05 +0000 (UTC) X-HE-Tag: drink95_52109bb273ec X-Filterd-Recvd-Size: 4498 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by imf13.hostedemail.com (Postfix) with ESMTP for ; Wed, 9 Dec 2020 03:22:04 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id m9so312366pgb.4 for ; Tue, 08 Dec 2020 19:22:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kE2FmGi+NBcEH+7fTQb+PyvwhRcfzZ3tL3pXgj3lp0U=; b=Jy3vrUApDBhHvZJBn57K8e/d2idV4VgedPdQrlFVN8/gHofHQRCSUS+EyLsLWN23kW iUM/EzG1GlZOza3lgi258SgApobYZzbtgkDMrh5X+P6Dtg0wFiRSnm4LY/LvIKrS9Mg2 hSJzzHUTuvM6MNY7peOqsOG3g54lGtivoXq9prMyTHFR9yAaWfdPX8+c7dXRsbuAu2FX qwXAMlXCAy2gKgVbD19TkixdU6BiBA/C8bQdN3Ka6fBa3Pl71bCbtheUT7Uck2dN5ySq I/vz3wsg5ZlvuhpiPYbAsa9l22m4P/cuRzvPt+Ok2EQhqPl32lmspRkLpmv4BNX5rHGI 2Lvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=kE2FmGi+NBcEH+7fTQb+PyvwhRcfzZ3tL3pXgj3lp0U=; b=J/WO/ZvlDjH44n64Q1oNZrBUnt2nlAZNRcdhJ1hq1eKU8BxivNg92on3+764rw0RCc HFjihvNTT8AVvDrtnIkaBpUkUxGr3Vr8cSOXfjhGAofBTursftPfJ+772a6IK97KIS6P D4eHvOkrevJgF4y84TElRW5ClIyju3RJ3IQXEAGBnu2iAQOYdQHlqH7z0AZF5R4B3T+i JX+jXwM9A1vGa4/VkPf9PLBENzdJYVf/cnv6ihPl/q4y2SkP+cnZn5ER8kvdcHGY6k9r eq1A4Q52t9Jkvj1g8Yw+sVtH2WXJa1rTD4Xj+yQca/eq5H56riJQ5ZG0RdMLdTfCnZQY pazQ== X-Gm-Message-State: AOAM5330xfoSYK8kNxug5aV+A2X1uczoimUtnZULkIYVLGUsM/LfE987 tQvuNo4lKtuVMAx/l3LOLyk= X-Google-Smtp-Source: ABdhPJzaDkDWI6XXJwPVjvBCKV1E4lYeZm47ZQvRlyCxaueRb7Cz8XT18kQkF76HsVXx+cVLeJA8gw== X-Received: by 2002:a63:471f:: with SMTP id u31mr153252pga.74.1607484123975; Tue, 08 Dec 2020 19:22:03 -0800 (PST) Received: from bbox-1.mtv.corp.google.com ([2620:15c:211:201:7220:84ff:fe09:5e58]) by smtp.gmail.com with ESMTPSA id 10sm216009pjt.35.2020.12.08.19.22.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Dec 2020 19:22:02 -0800 (PST) From: Minchan Kim To: akpm@linux-foundation.org, torvalds@linux-foundation.org Cc: LKML , linux-mm , jannh@google.com, mhocko@suse.com, shakeelb@google.com, surenb@google.com, christian@brauner.io, rientjes@google.com, bgeffon@google.com, vbabka@suse.cz, Minchan Kim , security@kernel.org Subject: [PATCH] mm/madvise: remove racy mm ownership check Date: Tue, 8 Dec 2020 19:21:55 -0800 Message-Id: <20201209032155.564991-1-minchan@kernel.org> X-Mailer: git-send-email 2.29.2.576.ga3fc446d84-goog MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Jann spotted the security hole due to race of mm ownership check. If the task is sharing the mm_struct but goes through execve() before mm_access(), it could skip process_madvise_behavior_valid check. That makes *any advice hint* to reach into the remote process. This patch removes the mm ownership check. With it, it will lose the ability that local process could give *any* advice hint with vector interface for some reason(e.g., performance). Since there is no concrete example in upstream yet, it would be better to remove the abiliity at this moment and need to review when such new advice comes up. Cc: security@kernel.org Fixes: ecb8ac8b1f14 ("mm/madvise: introduce process_madvise() syscall: an external memory hinting API") Reported-by: Jann Horn Suggested-by: Jann Horn Signed-off-by: Minchan Kim --- mm/madvise.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mm/madvise.c b/mm/madvise.c index a8d8d48a57fe..13f5677b9322 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -1204,8 +1204,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, goto put_pid; } - if (task->mm != current->mm && - !process_madvise_behavior_valid(behavior)) { + if (!process_madvise_behavior_valid(behavior)) { ret = -EINVAL; goto release_task; }