On Thu, Apr 2, 2020 at 4:39 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
>
> On Thu, Apr 2, 2020 at 1:53 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> > On 02-Apr 07:15, Jann Horn wrote:
> [...]
> > > I suspect that you're using different versions of libc, or something's
> > > different in the memory layout, or something like that. The brk region
> > > is used for memory allocations using brk(), but memory allocations
> > > using mmap() land outside it. At least some versions of libc try to
> > > allocate memory for malloc() with brk(), then fall back to mmap() if
> > > that fails because there's something else behind the current end of
> > > the brk region; but I think there might also be versions of libc that
> > > directly use mmap() and don't even try to use brk().
> >
> > Yeah missed this that heap can also be allocated using mmap:
> [...]
> > I updated my test case to check for mmaps on the stack instead:
> [...]
> > + is_stack = (vma->vm_start <= vma->vm_mm->start_stack &&
> > + vma->vm_end >= vma->vm_mm->start_stack);
> >
> > - if (is_heap && monitored_pid == pid) {
> > + if (is_stack && monitored_pid == pid) {
> > mprotect_count++;
> > ret = -EPERM;
> > }
> >
> > and the the logic seems to work for me. Do you think we could use
> > this instead?
>
> Yeah, I think that should work. (Just keep in mind that a successful
> mprotect() operation will split the VMA into three VMAs - but that
> shouldn't be a problem here, since you only do it once per process,
> and since you're denying the operation, it won't go through anyway.)
Okay I will send a patch that fixes this test. Thanks everyone!
- KP
