On Thu, Apr 2, 2020 at 1:53 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> On 02-Apr 07:15, Jann Horn wrote:
[...]
> > I suspect that you're using different versions of libc, or something's
> > different in the memory layout, or something like that. The brk region
> > is used for memory allocations using brk(), but memory allocations
> > using mmap() land outside it. At least some versions of libc try to
> > allocate memory for malloc() with brk(), then fall back to mmap() if
> > that fails because there's something else behind the current end of
> > the brk region; but I think there might also be versions of libc that
> > directly use mmap() and don't even try to use brk().
>
> Yeah missed this that heap can also be allocated using mmap:
[...]
> I updated my test case to check for mmaps on the stack instead:
[...]
> + is_stack = (vma->vm_start <= vma->vm_mm->start_stack &&
> + vma->vm_end >= vma->vm_mm->start_stack);
>
> - if (is_heap && monitored_pid == pid) {
> + if (is_stack && monitored_pid == pid) {
> mprotect_count++;
> ret = -EPERM;
> }
>
> and the the logic seems to work for me. Do you think we could use
> this instead?
Yeah, I think that should work. (Just keep in mind that a successful
mprotect() operation will split the VMA into three VMAs - but that
shouldn't be a problem here, since you only do it once per process,
and since you're denying the operation, it won't go through anyway.)
