| Message ID | 20230515130958.32471-1-lrh2000@pku.edu.cn |
|---|---|
| Headers | show |
| Series | Fix type confusion in page_table_check | expand |
On Mon, May 15, 2023 at 12:28:54PM -0400, Pasha Tatashin wrote: > > On Mon, May 15, 2023 at 9:10 AM Ruihan Li <lrh2000@pku.edu.cn> wrote: > > > > The current uses of PageAnon in page table check functions can lead to > > type confusion bugs between struct page and slab [1], if slab pages are > > accidentally mapped into the user space. This is because slab reuses the > > bits in struct page to store its internal states, which renders PageAnon > > ineffective on slab pages. > > > > Since slab pages are not expected to be mapped into the user space, this > > patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages > > are not inadvertently mapped. Otherwise, there must be some bugs in the > > kernel. > > > > Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com > > Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1] > > Fixes: df4e817b7108 ("mm: page table check") > > Cc: <stable@vger.kernel.org> # 5.17 > > Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn> > > Acked-by: Pasha Tatashin <pasha.tatashin@soleen.com> > > I would also update order in mm/memory.c > static int validate_page_before_insert(struct page *page) > { > if (PageAnon(page) || PageSlab(page) || page_has_type(page)) > > It is not strictly a bug there, as it works by accident, but > PageSlab() should go before PageAnon(), because without checking if > this is PageSlab() we should not be testing for PageAnon(). Right. Perhaps it would be better to send another patch for this separately. > > Thanks you, > Pasha Thanks, Ruihan Li
On 16.05.23 13:51, Ruihan Li wrote: > On Mon, May 15, 2023 at 12:28:54PM -0400, Pasha Tatashin wrote: >> >> On Mon, May 15, 2023 at 9:10 AM Ruihan Li <lrh2000@pku.edu.cn> wrote: >>> >>> The current uses of PageAnon in page table check functions can lead to >>> type confusion bugs between struct page and slab [1], if slab pages are >>> accidentally mapped into the user space. This is because slab reuses the >>> bits in struct page to store its internal states, which renders PageAnon >>> ineffective on slab pages. >>> >>> Since slab pages are not expected to be mapped into the user space, this >>> patch adds BUG_ON(PageSlab(page)) checks to make sure that slab pages >>> are not inadvertently mapped. Otherwise, there must be some bugs in the >>> kernel. >>> >>> Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.com >>> Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1] >>> Fixes: df4e817b7108 ("mm: page table check") >>> Cc: <stable@vger.kernel.org> # 5.17 >>> Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn> >> >> Acked-by: Pasha Tatashin <pasha.tatashin@soleen.com> >> >> I would also update order in mm/memory.c >> static int validate_page_before_insert(struct page *page) >> { >> if (PageAnon(page) || PageSlab(page) || page_has_type(page)) >> >> It is not strictly a bug there, as it works by accident, but >> PageSlab() should go before PageAnon(), because without checking if >> this is PageSlab() we should not be testing for PageAnon(). > > Right. Perhaps it would be better to send another patch for this > separately. Probably not really worth it IMHO. With PageSlab() we might have PageAnon() false-positives. Either will take the same path here ... On a related note, stable_page_flags() checks PageKsm()/PageAnon() without caring about PageSlab(). At least it's just a debugging interface and will indicate KPF_SLAB in any case as well ...
> >> Acked-by: Pasha Tatashin <pasha.tatashin@soleen.com> > >> > >> I would also update order in mm/memory.c > >> static int validate_page_before_insert(struct page *page) > >> { > >> if (PageAnon(page) || PageSlab(page) || page_has_type(page)) > >> > >> It is not strictly a bug there, as it works by accident, but > >> PageSlab() should go before PageAnon(), because without checking if > >> this is PageSlab() we should not be testing for PageAnon(). > > > > Right. Perhaps it would be better to send another patch for this > > separately. Yes, as a separate from this series patch would work. > > Probably not really worth it IMHO. With PageSlab() we might have > PageAnon() false-positives. Either will take the same path here ... That is correct, it works by accident, but it is not a good idea to keep a broken logic at least because it may be copied into other places.
Recently, syzbot reported [1] ("kernel BUG in page_table_check_clear"). The root cause is that usbdev_mmap calls remap_pfn_range on kmalloc'ed memory, which leads to type confusion between struct page and slab in page_table_check. This series of patches fixes the usb side by avoiding mapping slab pages into userspace, and fixes the mm side by enforcing that all user-accessible pages are not slab pages. A more detailed analysis and some discussion of how to fix the problem can also be found in [1]. [1] https://lore.kernel.org/lkml/20230507135844.1231056-1-lrh2000@pku.edu.cn/T/ Changes since v1: * Fix inconsistent coding styles. (Alan Stern) * Relax !DEVMEM requirements to EXCLUSIVE_SYSTEM_RAM, which is equivalent to !DEVMEM || STRICT_DEVMEM. (David Hildenbrand) * A few random tweaks in commit messages and code comments, none of them major. Link to v1: https://lore.kernel.org/lkml/20230510085527.57953-1-lrh2000@pku.edu.cn/T/ Cc: Matthew Wilcox <willy@infradead.org> Cc: David Hildenbrand <david@redhat.com> Cc: Pasha Tatashin <pasha.tatashin@soleen.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Christoph Hellwig <hch@infradead.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Ruihan Li (4): usb: usbfs: Enforce page requirements for mmap usb: usbfs: Use consistent mmap functions mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM mm: page_table_check: Ensure user pages are not slab pages Documentation/mm/page_table_check.rst | 18 ++++++++++++ drivers/usb/core/buffer.c | 41 +++++++++++++++++++++++++++ drivers/usb/core/devio.c | 20 +++++++++---- include/linux/page-flags.h | 6 ++++ include/linux/usb/hcd.h | 5 ++++ mm/Kconfig.debug | 2 +- mm/page_table_check.c | 6 ++++ 7 files changed, 91 insertions(+), 7 deletions(-)