LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Hugh Dickins <hugh@veritas.com>
To: Stas Sergeev <stsp@aknet.ru>
Cc: Andrew Morton <akpm@osdl.org>, <linux-kernel@vger.kernel.org>
Subject: Re: Bug in VM accounting code, probably exploitable
Date: Tue, 11 May 2004 21:45:08 +0100 (BST)	[thread overview]
Message-ID: <Pine.LNX.4.44.0405112118230.9018-100000@localhost.localdomain> (raw)
In-Reply-To: <40A12E83.7030209@aknet.ru>

On Tue, 11 May 2004, Stas Sergeev wrote:
> mprotect() fails to merge VMAs because one VMA can end up with
> VM_ACCOUNT flag set, and another without that flag. That makes
> several apps of mine to malfuncate.
> And the fix looks also very strange, but it seems to work.

Great find!  Someone has got their test the wrong way round.
Your patch is good, but since that VM_MAYACCT macro is being
used in one place only, and just hiding what it's actually about,
I'd prefer the patch below.  Against 2.6.6: Andrew, please apply.

--- 2.6.6/include/linux/mm.h	2004-05-10 03:33:36.000000000 +0100
+++ linux/include/linux/mm.h	2004-05-11 21:26:12.296881936 +0100
@@ -112,9 +112,6 @@ struct vm_area_struct {
 #define VM_HUGETLB	0x00400000	/* Huge TLB Page VM */
 #define VM_NONLINEAR	0x00800000	/* Is non-linear (remap_file_pages) */
 
-/* It makes sense to apply VM_ACCOUNT to this vma. */
-#define VM_MAYACCT(vma) (!!((vma)->vm_flags & VM_HUGETLB))
-
 #ifndef VM_STACK_DEFAULT_FLAGS		/* arch can override this */
 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
 #endif
--- 2.6.6/mm/mprotect.c	2004-05-10 03:33:48.000000000 +0100
+++ linux/mm/mprotect.c	2004-05-11 21:27:17.079033552 +0100
@@ -174,8 +174,7 @@ mprotect_fixup(struct vm_area_struct *vm
 	 * a MAP_NORESERVE private mapping to writable will now reserve.
 	 */
 	if (newflags & VM_WRITE) {
-		if (!(vma->vm_flags & (VM_ACCOUNT|VM_WRITE|VM_SHARED))
-				&& VM_MAYACCT(vma)) {
+		if (!(vma->vm_flags & (VM_ACCOUNT|VM_WRITE|VM_SHARED|VM_HUGETLB))) {
 			charged = (end - start) >> PAGE_SHIFT;
 			if (security_vm_enough_memory(charged))
 				return -ENOMEM;


  reply	other threads:[~2004-05-11 20:45 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-11 19:50 Stas Sergeev
2004-05-11 20:45 ` Hugh Dickins [this message]
2004-05-20 19:43 ` Marcelo Tosatti
2004-05-22 12:46   ` Stas Sergeev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.44.0405112118230.9018-100000@localhost.localdomain \
    --to=hugh@veritas.com \
    --cc=akpm@osdl.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stsp@aknet.ru \
    --subject='Re: Bug in VM accounting code, probably exploitable' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).