From patchwork Fri Sep 29 17:19:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13404630 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1660E728CD for ; Fri, 29 Sep 2023 17:19:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 598898D00F3; Fri, 29 Sep 2023 13:19:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5242A8D00E3; Fri, 29 Sep 2023 13:19:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 39BD18D00F3; Fri, 29 Sep 2023 13:19:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 226148D00E3 for ; Fri, 29 Sep 2023 13:19:47 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id ECD531A0530 for ; Fri, 29 Sep 2023 17:19:46 +0000 (UTC) X-FDA: 81290297172.05.40AB29B Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by imf29.hostedemail.com (Postfix) with ESMTP id F3BE612000E for ; Fri, 29 Sep 2023 17:19:44 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=EUtVh2OA; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.172 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1696007985; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=PHLaFEhV7E7Wr2RxX57WFG0eWfYlTCzFdKjwWaRfRTI=; b=YOMzznzfW9FoXDlu9v0bp1Fb6YvH//ixG/6FOvoHbMPD40foes6Ac+RjCde7r5s5HxhmpH dxyACaatgATeoZuYWGl/WPOEbfZewArTdBLlmsa2cAm6A3oFnDWP6fl9ky5t+lmEDmHyaz ihggVK+h9jJkATT2IqMlgGUrWq8XAQI= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=EUtVh2OA; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.172 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1696007985; a=rsa-sha256; cv=none; b=DZohVmZOkGwpYwu2an0EtWsPXWDcWKG6vpUKVDCiblBSheAKzHvYhW7c1SLefn1f8IEBu6 2LnXltTM/u4aIhSMuuRPvBttxgsSdc/K4DnVF2qe1fPIxcMfQm6uz61j/q7Pw70t5iDU+L nmVrfYzT7N99DJ/CRrVSAZFH0iUM6do= Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1c5ff5f858dso83760115ad.2 for ; Fri, 29 Sep 2023 10:19:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1696007984; x=1696612784; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PHLaFEhV7E7Wr2RxX57WFG0eWfYlTCzFdKjwWaRfRTI=; b=EUtVh2OAgv8vlgCQfAp3/UgOE5Z2irRZP0TnUcqg5JHKmmXqjp28cYWuLxPSVBo1XT WSjyQpk3ul62+xTa021hzrw0571RA/fFDK9RVgWTYvM0K6YC+mFJSSVxuiDahOIRQb54 HisFG1L1ZMY60uRELvl5v8o9SUTXyf6VRWWMU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696007984; x=1696612784; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PHLaFEhV7E7Wr2RxX57WFG0eWfYlTCzFdKjwWaRfRTI=; b=PruYgTm+GpK5uf6yYhAz3dV3H1/g9N2Rd1ZpKLLPDSJnNY16wlc0rFuuMgBGzW5V0b PnXb1Nk8Wo3IzvNzm3OeDrMLhRqaWORH/Z+H9NrbhBilB/DFtb9MtLK+WLss8AtlzkQ/ WjqJ7dBcI3M2QzJQIO5xjq73VAFOBaIAzXej4rAPHBaupBWVgFTQsKtFe/Rx1wklsw77 cZNc8HOH7ZT0abr83uNE7MRmZXsFonbg6qtNFRB9idEmWpVzbllE2BSMY/m5KuRfr1Ld UpjK/8BAXAJjCRD1fVFQ2uxkYVRZuZzLWHFQLlzUrHJZuDEp/ylgTgImCaneYiuBtfT9 dG0w== X-Gm-Message-State: AOJu0Yz4y/boLYNzEeJBxYb+Yfk5cMd8IISqs52ZHHBwKQ2zdekCmnE1 zD/eAlys/RAfudUM3UFeu+WfHw== X-Google-Smtp-Source: AGHT+IEiXQcH9GATb5XYfyHZHf4WaJe0AMMgIltc0a+kW2oYhDtYfsT0xVxcPSq8DfqSfSPVaFbGSw== X-Received: by 2002:a17:902:ed01:b0:1c5:f7e2:c5e0 with SMTP id b1-20020a170902ed0100b001c5f7e2c5e0mr4502012pld.51.1696007983764; Fri, 29 Sep 2023 10:19:43 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id q11-20020a17090311cb00b001c3721897fcsm17194797plh.277.2023.09.29.10.19.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Sep 2023 10:19:43 -0700 (PDT) From: Kees Cook To: Andrew Morton Cc: Kees Cook , Sebastian Ott , "Liam R . Howlett" , Yu Zhao , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] mm: Fix vm_brk_flags() to not bail out while holding lock Date: Fri, 29 Sep 2023 10:19:41 -0700 Message-Id: <20230929171937.work.697-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1274; i=keescook@chromium.org; h=from:subject:message-id; bh=kjc+Ho0zH8hMf0DrfoD4hY2yzRf3D1zV5oxVn64EmhQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlFwcsmyZwvSPygxpmP4hn9DkGcWeEJYFxatCVu LY41wP2IpqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZRcHLAAKCRCJcvTf3G3A JlguD/9d9nsZNBs2QjqPxwbWrX6olpQxz+BmHTRDmOKl6koWi9bnlqJ8QU1UTR3wUeG0XljNk4T cHSnKajVXQL+tuWV31HM+2HKRSgdBtjjsEkt8PRbBKrFyIg5r9ATi4pNmPDs2lfnobhcju+36Dv 6wUwdLWAxaQSFlNVzAQmM5Eb4OIfXq7A0/HMMPHXjHnyDNApYafc5/+X784UWzV63b3X/8mnanO WcVQpQl/Bl5X0XWiedkXVUVtiFH3+H6NLFRpRKyGOYIlyGKbZFZzU+ZFEDWYL6pKv6ToRTzloNx UK/QzZoEBEi88it2hkeKqFpJU6bbmL67TefXFiFfTbLY8fkAKo7qM6aYirnWgo2YrSbb80sR/2K tB5RajiedOGGHu/lA+iGrLt3c2CRkcxnUkbfjv/kUmKSZkorYAC5komXHLmlQk8FRIGNhyxO950 ZA/QPiKwhWYZtYb4O6TjcAbCK/i2rnHJIB5rI5y43nHTap+wWfshxGrZXkx9sLuHiKTjFenqwJd CJRbT0/IekKDqGs+Sl6xBlix5bqus6L/VugSgbq3Xhn0+Vs4Cn+WuPPCRJKZXyIb8RRGQZul1Og tfW5zP/eiQdXezh0+JkyUPIOQhXySdBrvNCGVhY7APhi9Etin9mclEUOwHxuhg+WsheM1ks5fHL /FNiA2i FHjNKwnw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: F3BE612000E X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 3mrtii3cht69aguemq69rje48k9g3bhp X-HE-Tag: 1696007984-74099 X-HE-Meta: U2FsdGVkX1+JUv75rMubpUU4lKWCvoFzLBvzIJDfEo2OKahF2nW21hIF3LPKpk270ou4UNLlC+SQCJpuhe1AzTEsf+NPO42kAdDRhLr5c0KlJEmvsxgtl0ieXtJAnwCh9A3PnK2R/wrRBirzJOC4Z6XLinoYMYoJztBMs72MVVdR8rYaOw5NOxuDRb5Z21rmHinDA80IKlCg83Wq1vQ70cxvnIJe+hgIwGt+GhvggaB0THf6W1AE5kJ66aWibmlvNKyisZ7f1fS1M3RoPIL04TeYtZ0H0ujQEee3Uqp/65j2Q39SF/UrCOjdZiK9k1cisU3efGEWeWz55bI4hST8Jrv/mxcEs7haCsgk9XMQPCjVrQpdZS709w2WR3De+oD7/BA2o1G4dbudh0G6QwZ1577aKgBQ9dur0Mhow4HaN8XKeX1FauSuU2x0U9LBIGayaB0OcC9XEoAmQlbJQWcKijGjPYyCS7GGrxh6zx1mUzFYUlZsI7QkFBwNctQ3/jzCBBqC1S3vRB77D/KGkJWA3vIlY43UYSHa62ItyD1ibfmuALPrruRpUVuApwCz44fugTuh2bmR/jZGbhtG6ZzAd240MABBW8gpokgq0rqlXnEK0wS9CAbGtbKmaIXbmyC+4uNtwF4ORoe0Ut2q53LDPC+pG7wrRV+k3GUrpVGszU7TwNIt5tJArDltV6SBWxtx+jlpWkTGntppwraShO9ayRZnd7s17Ignnr61iU9QQ/R1qwbEoxNQetaw7yil/5dIDhK1Bw8oMjAObu/ARtaWFYyNW1ExYuDGZH+HtYobtwksRoPiO6MbC6fo6NvNmzRfQIOBsWFBvCMRYbqc8IiHzbHinhSWUhhoqIsFDO3UAaEEVNgUQoegnQTgZI94ln55dTOzs11dH7uk2dIFS3gwXJUqXB0cMHQX3kSBQzk4d9woSVvWnR/uXIyluNB+OJ+wvRB0rFmVREYn6JvvKXQ 6e9mVs5Y AZbFV+19YUkZFUVqK9LqomkcVpOjvtFw2OsqiduPxL9URzP7yoy3fIwaCndvX1lSHCXQPnGJzoDPWq83HjaD55aWIWnBhz0eJm7IryVtcex3HXEDycd6/5ALNzAmqaLjXj1/a/jzduf0tD5Xs7Z0aezvgmXne40jVpgQndZ53d+GqEcjLcQFKd3mB1YhvSYsH+jzx7/6sK2WB3PrKhLeIvS0/4BCDJ43ko1nDXsZyFDynrXX0CwlAfv+DVNXwquZYwaLJXaZfjNh/lgcctalIbPGCWOtyWUBjZfFnF+5ohlav5EI97FFn8Vgmeo0e5ld7ED1F8IuqvGdP5rZIN+J91Sa6h7AmKuoa3R+Gjfw+31x8T2LachcOWfmIaQCttumvRaOUnD1R3aQetgrl855/I1aJqwu9t1BDMFIKroMMVWQnUHtzbXf+JjX3t0sc3Hl0JKv5aQvFD9VSNYwZvr/sE+s8bYja+RlKxmkQE2vAJSM7p2Prt7aEXGdGiPWM+VnUDlXRTNwpy2DwfLzOT1+AWCknHLLf+797TOl8/VQRaVC4z0S9BdunOtjlPRNRKS5oqeDD88VLS6YNzvwCcua4FkK9WA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Sebastian Ott Calling vm_brk_flags() with flags set other than VM_EXEC will exit the function without releasing the mmap_write_lock. Just do the sanity check before the lock is acquired. This doesn't fix an actual issue since no caller sets a flag other than VM_EXEC. Cc: Andrew Morton Cc: Liam R. Howlett Cc: Yu Zhao Cc: linux-mm@kvack.org Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()") Signed-off-by: Sebastian Ott Signed-off-by: Kees Cook Reviewed-by: Liam R. Howlett --- mm/mmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 34d2337ace59..c8996fe847c9 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3143,13 +3143,13 @@ int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags) if (!len) return 0; - if (mmap_write_lock_killable(mm)) - return -EINTR; - /* Until we need other flags, refuse anything except VM_EXEC. */ if ((flags & (~VM_EXEC)) != 0) return -EINVAL; + if (mmap_write_lock_killable(mm)) + return -EINTR; + ret = check_brk_limits(addr, len); if (ret) goto limits_failed;