Re: [patch 2.6.13-rc4] fix get_user_pages bug

From: Linus Torvalds
Date: Mon Aug 01 2005 - 16:58:31 EST

Next message: Adrian Bunk: "[2.6 patch] i386: fix incorrect TSS entry for LDT"
Previous message: Rafael J. Wysocki: "Re: revert yenta free_irq on suspend"
In reply to: Hugh Dickins: "Re: [patch 2.6.13-rc4] fix get_user_pages bug"
Next in thread: Linus Torvalds: "Re: [patch 2.6.13-rc4] fix get_user_pages bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 1 Aug 2005, Hugh Dickins wrote:
> >
> > We have always just done a COW if it's read-only - even if it's shared.
> >
> > The point being that if a process mapped did a read-only mapping, and a
> > tracer wants to modify memory, the tracer is always allowed to do so, but
> > it's _not_ going to write anything back to the filesystem. Writing
> > something back to an executable just because the user happened to mmap it
> > with MAP_SHARED (but read-only) _and_ the user had the right to write to
> > that fd is _not_ ok.
>
> I'll need to think that through, but not right now. It's a surprise
> to me, and it's likely to surprise the current kernel too.

Well, even if you did the write-back if VM_MAYWRITE is set, you'd still
have the case of having MAP_SHARED, PROT_READ _without_ VM_MAYWRITE being
set, and I'd expect that to actually be the common one (since you'd
normally use O_RDONLY to open a fd that you only want to map for reading).

And as mentioned, MAP_SHARED+PROT_READ does actually happen in real life.
Just do a google search on "MAP_SHARED PROT_READ -PROT_WRITE" and you'll
get tons of hits. For good reason too - because MAP_PRIVATE isn't actually
coherent on several old UNIXes.

So you'd still have to convert such a case to a COW mapping, so it's not
like you can avoid it.

Of course, if VM_MAYWRITE is not set, you could just convert it silently
to a MAP_PRIVATE at the VM level (that's literally what we used to do,
back when we didn't support writable shared mappings at all, all those
years ago), so at least now the COW behaviour would match the vma_flags.

> I'd prefer to say that if the executable was mapped shared from a writable fd,
> then the tracer will write back to it; but you're clearly against that.

Absolutely. I can just see somebody mapping an executable MAP_SHARED and
PROT_READ, and something as simple as doing a breakpoint while debugging
causing system-wide trouble.

I really don't think that's acceptable.

And I'm not making it up - add PROT_EXEC to the google search around, and
watch it being done exactly that way. Several of the hits mention shared
libraries too.

I strongly suspect that almost all cases will be opened with O_RDONLY, but
still..

Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "[2.6 patch] i386: fix incorrect TSS entry for LDT"
Previous message: Rafael J. Wysocki: "Re: revert yenta free_irq on suspend"
In reply to: Hugh Dickins: "Re: [patch 2.6.13-rc4] fix get_user_pages bug"
Next in thread: Linus Torvalds: "Re: [patch 2.6.13-rc4] fix get_user_pages bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]