| Message ID | 20200410202613.3679837-1-andriin@fb.com |
|---|---|
| State | Accepted |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | [v2,bpf,1/2] bpf: prevent re-mmap()'ing BPF map as writable for initially r/o mapping | expand |
On Fri, Apr 10, 2020 at 10:26 PM Andrii Nakryiko <andriin@fb.com> wrote: > VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed > pages can be later remapped as writable ones through mprotect() call. To > prevent user application to rewrite contents of memory-mapped as read-only and > subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially > read-only mapping. > > Alternatively, we could treat any memory-mapping on unfrozen map as writable > and bump writecnt instead. But there is little legitimate reason to map > BPF map as read-only and then re-mmap() it as writable through mprotect(), > instead of just mmap()'ing it as read/write from the very beginning. > > Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap > operations. We can just rely on VMA holding reference to BPF map's file > properly. > > Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") > Reported-by: Jann Horn <jannh@google.com> > Signed-off-by: Andrii Nakryiko <andriin@fb.com> Reviewed-by: Jann Horn <jannh@google.com> (in the sense that I think this patch is good and correct, but does not fix the entire problem in the bigger picture)
On Tue, Apr 14, 2020 at 9:58 AM Jann Horn <jannh@google.com> wrote: > > On Fri, Apr 10, 2020 at 10:26 PM Andrii Nakryiko <andriin@fb.com> wrote: > > VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed > > pages can be later remapped as writable ones through mprotect() call. To > > prevent user application to rewrite contents of memory-mapped as read-only and > > subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially > > read-only mapping. > > > > Alternatively, we could treat any memory-mapping on unfrozen map as writable > > and bump writecnt instead. But there is little legitimate reason to map > > BPF map as read-only and then re-mmap() it as writable through mprotect(), > > instead of just mmap()'ing it as read/write from the very beginning. > > > > Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap > > operations. We can just rely on VMA holding reference to BPF map's file > > properly. > > > > Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") > > Reported-by: Jann Horn <jannh@google.com> > > Signed-off-by: Andrii Nakryiko <andriin@fb.com> > > Reviewed-by: Jann Horn <jannh@google.com> > > (in the sense that I think this patch is good and correct, but does > not fix the entire problem in the bigger picture) I agree, we'll continue discussion on the other thread, but this should be applied as a bug fix anyways.
On 4/14/20 8:28 PM, Andrii Nakryiko wrote: > On Tue, Apr 14, 2020 at 9:58 AM Jann Horn <jannh@google.com> wrote: >> On Fri, Apr 10, 2020 at 10:26 PM Andrii Nakryiko <andriin@fb.com> wrote: >>> VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed >>> pages can be later remapped as writable ones through mprotect() call. To >>> prevent user application to rewrite contents of memory-mapped as read-only and >>> subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially >>> read-only mapping. >>> >>> Alternatively, we could treat any memory-mapping on unfrozen map as writable >>> and bump writecnt instead. But there is little legitimate reason to map >>> BPF map as read-only and then re-mmap() it as writable through mprotect(), >>> instead of just mmap()'ing it as read/write from the very beginning. >>> >>> Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap >>> operations. We can just rely on VMA holding reference to BPF map's file >>> properly. >>> >>> Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") >>> Reported-by: Jann Horn <jannh@google.com> >>> Signed-off-by: Andrii Nakryiko <andriin@fb.com> >> >> Reviewed-by: Jann Horn <jannh@google.com> >> >> (in the sense that I think this patch is good and correct, but does >> not fix the entire problem in the bigger picture) > > I agree, we'll continue discussion on the other thread, but this > should be applied as a bug fix anyways. Applied, thanks!
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 64783da34202..d85f37239540 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -586,9 +586,7 @@ static void bpf_map_mmap_open(struct vm_area_struct *vma) { struct bpf_map *map = vma->vm_file->private_data; - bpf_map_inc_with_uref(map); - - if (vma->vm_flags & VM_WRITE) { + if (vma->vm_flags & VM_MAYWRITE) { mutex_lock(&map->freeze_mutex); map->writecnt++; mutex_unlock(&map->freeze_mutex); @@ -600,13 +598,11 @@ static void bpf_map_mmap_close(struct vm_area_struct *vma) { struct bpf_map *map = vma->vm_file->private_data; - if (vma->vm_flags & VM_WRITE) { + if (vma->vm_flags & VM_MAYWRITE) { mutex_lock(&map->freeze_mutex); map->writecnt--; mutex_unlock(&map->freeze_mutex); } - - bpf_map_put_with_uref(map); } static const struct vm_operations_struct bpf_map_default_vmops = { @@ -635,14 +631,16 @@ static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma) /* set default open/close callbacks */ vma->vm_ops = &bpf_map_default_vmops; vma->vm_private_data = map; + vma->vm_flags &= ~VM_MAYEXEC; + if (!(vma->vm_flags & VM_WRITE)) + /* disallow re-mapping with PROT_WRITE */ + vma->vm_flags &= ~VM_MAYWRITE; err = map->ops->map_mmap(map, vma); if (err) goto out; - bpf_map_inc_with_uref(map); - - if (vma->vm_flags & VM_WRITE) + if (vma->vm_flags & VM_MAYWRITE) map->writecnt++; out: mutex_unlock(&map->freeze_mutex);
VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed pages can be later remapped as writable ones through mprotect() call. To prevent user application to rewrite contents of memory-mapped as read-only and subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially read-only mapping. Alternatively, we could treat any memory-mapping on unfrozen map as writable and bump writecnt instead. But there is little legitimate reason to map BPF map as read-only and then re-mmap() it as writable through mprotect(), instead of just mmap()'ing it as read/write from the very beginning. Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap operations. We can just rely on VMA holding reference to BPF map's file properly. Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Andrii Nakryiko <andriin@fb.com> --- kernel/bpf/syscall.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-)