Re: [PATCH] /dev/zero: make private mapping full anonymous mapping

From: Lorenzo Stoakes
Date: Tue Jan 14 2025 - 13:27:24 EST

Next message: Tim Harvey: "Re: [PATCH net] net: dsa: microchip: ksz9477: fix multicast filtering"
Previous message: syzbot: "[syzbot] [mptcp?] KMSAN: uninit-value in mptcp_incoming_options (2)"
In reply to: Matthew Wilcox: "Re: [PATCH] /dev/zero: make private mapping full anonymous mapping"
Next in thread: Jann Horn: "Re: [PATCH] /dev/zero: make private mapping full anonymous mapping"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 14, 2025 at 06:22:14PM +0000, Matthew Wilcox wrote:
> On Tue, Jan 14, 2025 at 06:19:32PM +0000, Lorenzo Stoakes wrote:
> > I see shmem_zero_page() does change vma->vm_page, this is broken... ugh. I
>
> I think you mean shmem_zero_setup() and vma->vm_file, right?

Yes, correct. Sorry it's late here and it's showing haha!

The reason I am concerned about this is because we thread mmap state
through the operation which has a separate file pointer which this makes
into a potential UAF.

Will audit all this and for any other problematic .mmap() callback
behaviour.

My view is ideally this should be a callback with a const pointer to the
VMA (or some other mechanism, perhaps) which accepts a change in
_permitted_ fields only.

The 'anything could happen and anybody could manipulate any field of the
VMA' in this callback is highly problematic.

But we definitely shouldn't be adding a _new_ case here.

Next message: Tim Harvey: "Re: [PATCH net] net: dsa: microchip: ksz9477: fix multicast filtering"
Previous message: syzbot: "[syzbot] [mptcp?] KMSAN: uninit-value in mptcp_incoming_options (2)"
In reply to: Matthew Wilcox: "Re: [PATCH] /dev/zero: make private mapping full anonymous mapping"
Next in thread: Jann Horn: "Re: [PATCH] /dev/zero: make private mapping full anonymous mapping"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]