From patchwork Fri Oct 18 16:14:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 13842014 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B963D30019 for ; Fri, 18 Oct 2024 16:15:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A3D3B6B0089; Fri, 18 Oct 2024 12:15:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9ED4B6B008A; Fri, 18 Oct 2024 12:15:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8B4DA6B008C; Fri, 18 Oct 2024 12:15:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 6DAF86B0089 for ; Fri, 18 Oct 2024 12:15:29 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id DD31BC1A10 for ; Fri, 18 Oct 2024 16:15:15 +0000 (UTC) X-FDA: 82687222842.30.51729E8 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by imf09.hostedemail.com (Postfix) with ESMTP id 851CD140004 for ; Fri, 18 Oct 2024 16:15:15 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of roberto.sassu@huaweicloud.com designates 14.137.139.46 as permitted sender) smtp.mailfrom=roberto.sassu@huaweicloud.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729268051; a=rsa-sha256; cv=none; b=3yApaWyDsJLwIyNGnmXwY2Uf2aImJ9LDwm1rlo88u98dgSUD/sN0q89MwUrS5FXSArRKWt F2ngnVrAatpRxy384+7Omcg2erBlxtvR04vM1LCJVHy9KgQON9nQ2Iy3wEbQyIGd+wkBUQ RgIDNU5z+YtE46NVzR7kUj0xy3B02gA= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of roberto.sassu@huaweicloud.com designates 14.137.139.46 as permitted sender) smtp.mailfrom=roberto.sassu@huaweicloud.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729268051; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references; bh=jUOpsFNGzXQc9MzkojJXxC1Izimapc38pTVhKrWl7GA=; b=2Be0nN4eM+Go0qWsJmA5zX8mG6ADS9y46BGZqLuzXGj+XEqHU0vcUx9KMFWRQgM++DCyaS kHxMJopEoiW9rGXllSSegOAnMQWpTdGi5bsu9UXVsliQOCYJf2i9RWcMmPp/Mn1ykCOTCc eDZ/0WeoHRTFdByKgkvDc9WBIb/K4KI= Received: from mail.maildlp.com (unknown [172.18.186.29]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4XVTmm5HqYz9v7J5 for ; Fri, 18 Oct 2024 23:55:04 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.47]) by mail.maildlp.com (Postfix) with ESMTP id 35BD0140361 for ; Sat, 19 Oct 2024 00:15:12 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwC3+zJ_iRJnh0oaAw--.43081S2; Fri, 18 Oct 2024 17:15:11 +0100 (CET) From: Roberto Sassu To: akpm@linux-foundation.org, Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, vbabka@suse.cz, jannh@google.com Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, ebpqwerty472123@gmail.com, paul@paul-moore.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, jmorris@namei.org, serge@hallyn.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, "Kirill A. Shutemov" , stable@vger.kernel.org, syzbot+1cd571a672400ef3a930@syzkaller.appspotmail.com, Roberto Sassu Subject: [PATCH v2] mm: Split critical region in remap_file_pages() and invoke LSMs in between Date: Fri, 18 Oct 2024 18:14:15 +0200 Message-Id: <20241018161415.3845146-1-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CM-TRANSID: LxC2BwC3+zJ_iRJnh0oaAw--.43081S2 X-Coremail-Antispam: 1UD129KBjvJXoW3Wry5Zr4kXF4UXF1fZFWfAFb_yoW7Gw17pF naqas0gFWkXF97Xrs2q3WDWFWYyryrKFyUurWagr1rC3sFqF1SgrWfGFW5ZF4DArykZFZ5 ZF4jyr9YkF4UJFJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvIb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr1j6F4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0E n4kS14v26r4a6rW5MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I 0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8 ZVWrXwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcV CY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAF wI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf 9x07jIksgUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAABGcRw-kMAAAAsF X-Stat-Signature: n9uw4sj3f1asrc9qma8pxffa37xchf5y X-Rspamd-Queue-Id: 851CD140004 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1729268115-979273 X-HE-Meta: U2FsdGVkX1+RtRVe6qrRHx33dW5F1RRQ+CsWZh2dCTBg+3GCSz95KhUsGnBQLuiGztEWVt5l0vqdOk6WcqWjIc97VWVC53B1uaKMPf1B1o+Q6z/MFEC4t2hWgfl0NzAqIjR4nMaHzXriHSDl0ETdWZacbhdL3Kt8BW4fZ8WHypujcTXIG8r1+ynBqe9I9DJfa7RdxHjqRNUBXZxCYGKhB7XpkHjRFCZuKIGUjI2SAu9FrGu0/grNiSY4EIWg+SFszZFGibkNx1eeETsziCtMqcOcPvPwoJpjdOreBM2ymSrO5M61DJhhI+EX26pMd5xqr3TpAT58VG5RhhXdqEHuK3VyOWb247g0r/c5+ooRkMU+pecURowQAmzbnK3runnDA21PhG+DKOh2vw8oHNtB8VezT3SOOV/wRWdS7XHQtScPMTfWZZ49UkdbmfnlSbOXY7mOZzAhO2P9nnvzC5VtTySK4HRx3esL4zh5A9LcG7B2id6zacbMGd/VCaWbiMUZw/Jv5aCgoZXuH1HHSlR29I2VYWXAUiGu6xPECMane6+40TAp1sFQASH65O40BsU5OAXqa1SPyl7vdri6l5aU472pJDBjQmQDurG/Y5Lq6yN0sHL290z0LdVWlBYdvsTAmk3mU2adW8NXtJ2gUlWjaQjE5eA/f46E7z1wPYudpYCOQSoT+gJq9vMxZQ5BMvzsylBaHOe4KRTjhYihW7NBKbMN10NnfoU7NsFmknYlJX6IDdoHSuD+A3Fk0ZFs6YYaqyAWgyV+FLhtt88JCMA5+i2pw3yFijMzvWEmE2sF7TMqlA4C0uvLI+OU033RAa3dZGiPp1i5QOvVXIZMvE8oJdNvKnrISZPxzQqxI7YrWOlziG9ZbhYBHg+CEY9PFswIbtGhfkHSooUpyYwzyKNcAbHoQQ3UvGWhVc8221/qTQWD1bO/7qE0zY/1C3U4zwv29famuzXOTtf7LjImhnQ h9NqRvdC d0ZTCKTTSd611tBuJtsDuvFX0Ik9QqhVw0AQv+G4MIV7RG6CfG9UxZ1IgBny/AipfSBll0Pvkw45ioRO6FcS+GEG6fh/np6UZw5CIHC8qPYgwKeOK37e6/jZWoZ3ZfaOOW7X15BeNNX3N978rjI+HuBO7oL6s+lr4uoTiMGWTLm8OkZlaKbUltJ86L5BgTu6tx3Pxiy4/XeK9eQnv+VqfDvaSTFhLzd3gCkauI52zL4fLKnGthRPPK5elML2n9Iyr96vpCx28u/8M/X2ma0K/HdijsZFBgpAFuBJvnJPE1M5W3F0zsulRlIYG5WDk4miOyiS5dN54lfZQpo4QfFqF7Kf9JPyO0iDsN5mR1G1IQiF3i56JqAEKJ2V38gKuoTkZrBlrpo1PpxFfI3Ffcm5HomVwzF0YDyC994DQN9u8N8/qCy/b1zzlrpMuWg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: "Kirill A. Shutemov" Commit ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") fixed a security issue, it added an LSM check when trying to remap file pages, so that LSMs have the opportunity to evaluate such action like for other memory operations such as mmap() and mprotect(). However, that commit called security_mmap_file() inside the mmap_lock lock, while the other calls do it before taking the lock, after commit 8b3ec6814c83 ("take security_mmap_file() outside of ->mmap_sem"). This caused lock inversion issue with IMA which was taking the mmap_lock and i_mutex lock in the opposite way when the remap_file_pages() system call was called. Solve the issue by splitting the critical region in remap_file_pages() in two regions: the first takes a read lock of mmap_lock, retrieves the VMA and the file descriptor associated, and calculates the 'prot' and 'flags' variables; the second takes a write lock on mmap_lock, checks that the VMA flags and the VMA file descriptor are the same as the ones obtained in the first critical region (otherwise the system call fails), and calls do_mmap(). In between, after releasing the read lock and before taking the write lock, call security_mmap_file(), and solve the lock inversion issue. Cc: stable@vger.kernel.org # v6.12-rcx Fixes: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") Reported-by: syzbot+1cd571a672400ef3a930@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-security-module/66f7b10e.050a0220.46d20.0036.GAE@google.com/ Reviewed-by: Roberto Sassu Reviewed-by: Jann Horn Reviewed-by: Lorenzo Stoakes Tested-by: Roberto Sassu Tested-by: syzbot+1cd571a672400ef3a930@syzkaller.appspotmail.com Signed-off-by: Kirill A. Shutemov Reviewed-by: Liam R. Howlett --- mm/mmap.c | 69 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 17 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 9c0fb43064b5..f731dd69e162 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1640,6 +1640,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, unsigned long populate = 0; unsigned long ret = -EINVAL; struct file *file; + vm_flags_t vm_flags; pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.\n", current->comm, current->pid); @@ -1656,12 +1657,60 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, if (pgoff + (size >> PAGE_SHIFT) < pgoff) return ret; - if (mmap_write_lock_killable(mm)) + if (mmap_read_lock_killable(mm)) return -EINTR; + /* + * Look up VMA under read lock first so we can perform the security + * without holding locks (which can be problematic). We reacquire a + * write lock later and check nothing changed underneath us. + */ vma = vma_lookup(mm, start); - if (!vma || !(vma->vm_flags & VM_SHARED)) + if (!vma || !(vma->vm_flags & VM_SHARED)) { + mmap_read_unlock(mm); + return -EINVAL; + } + + prot |= vma->vm_flags & VM_READ ? PROT_READ : 0; + prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0; + prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0; + + flags &= MAP_NONBLOCK; + flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE; + if (vma->vm_flags & VM_LOCKED) + flags |= MAP_LOCKED; + + /* Save vm_flags used to calculate prot and flags, and recheck later. */ + vm_flags = vma->vm_flags; + file = get_file(vma->vm_file); + + mmap_read_unlock(mm); + + /* Call outside mmap_lock to be consistent with other callers. */ + ret = security_mmap_file(file, prot, flags); + if (ret) { + fput(file); + return ret; + } + + ret = -EINVAL; + + /* OK security check passed, take write lock + let it rip. */ + if (mmap_write_lock_killable(mm)) { + fput(file); + return -EINTR; + } + + vma = vma_lookup(mm, start); + + if (!vma) + goto out; + + /* Make sure things didn't change under us. */ + if (vma->vm_flags != vm_flags) + goto out; + if (vma->vm_file != file) goto out; if (start + size > vma->vm_end) { @@ -1689,25 +1738,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, goto out; } - prot |= vma->vm_flags & VM_READ ? PROT_READ : 0; - prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0; - prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0; - - flags &= MAP_NONBLOCK; - flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE; - if (vma->vm_flags & VM_LOCKED) - flags |= MAP_LOCKED; - - file = get_file(vma->vm_file); - ret = security_mmap_file(vma->vm_file, prot, flags); - if (ret) - goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); -out_fput: - fput(file); out: mmap_write_unlock(mm); + fput(file); if (populate) mm_populate(ret, populate); if (!IS_ERR_VALUE(ret))