On Wed, Jun 26, 2024 at 02:04:53PM -0400, Liam R. Howlett wrote:
> * Kees Cook <kees@xxxxxxxxxx> [240626 12:32]:
> > On Tue, Jun 25, 2024 at 03:11:44PM -0400, Liam R. Howlett wrote:
> > > From: "Liam R. Howlett" <Liam.Howlett@xxxxxxxxxx>
> > >
> > > Change from nr_pages variable to vms.nr_accounted for the charged pages
> > > calculation. This is necessary for a future patch.
> > >
> > > This also avoids checking security_vm_enough_memory_mm() if the amount
> > > of memory won't change.
> >
> > Is there a reason for making this change? (I.e. why not leave off the
> > "charged" test?)
>
> Before, the munmap() completed prior to mmap()'ing the MAP_FIXED vma.
> If we don't remove the nr_accounted from the charged, we risk hitting
> the maximum limit.
>
> >
> > Looking at the callbacks in the LSM, only capabilities and SELinux are
> > hooking this, and both are checking whether a process has elevated privs
> > and are ignoring the "pages" argument entirely, so I'm not sure it's
> > safe to change the logic for whether to make the call based on an unused
> > argument (i.e. the LSM may want to _always_ know about this). On the
> > other hand, it looks like it's purely an accounting issue, and if the
> > page count didn't change, there's no reason to bother calling into all
> > this to make no changes to the accounting.
>
> I didn't see any reason not to avoid the call, but your statement is
> valid. I didn't see anything looking at the callbacks that would have
> issue with skipping it - but I'd like to hear what LSM has to say.
>
> I don't have any objections to removing the extra check, if anyone
> thinks it could be an issue.
>
> >
> > I've added the LSM list to CC...
>
> Thank you, and thanks for looking at this.
Sure! And barring any other feedback, I think this is safe, given the
changes to the accounting logic: no change means nothing to check.
Reviewed-by: Kees Cook <kees@xxxxxxxxxx>
-Kees
>
> >
> > -Kees
> >
> > >
> > > Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
> > > Cc: Kees Cook <kees@xxxxxxxxxx>
> > > ---
> > > mm/mmap.c | 6 ++++--
> > > 1 file changed, 4 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/mm/mmap.c b/mm/mmap.c
> > > index f3edabf83975..adb0bb5ea344 100644
> > > --- a/mm/mmap.c
> > > +++ b/mm/mmap.c
> > > @@ -2970,6 +2970,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
> > > } else {
> > > /* Minimal setup of vms */
> > > vms.nr_pages = 0;
> > > + vms.nr_accounted = 0;
> > > next = vma_next(&vmi);
> > > prev = vma_prev(&vmi);
> > > if (prev)
> > > @@ -2981,9 +2982,10 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
> > > */
> > > if (accountable_mapping(file, vm_flags)) {
> > > charged = pglen;
> > > - charged -= nr_accounted;
> > > - if (security_vm_enough_memory_mm(mm, charged))
> > > + charged -= vms.nr_accounted;
> > > + if (charged && security_vm_enough_memory_mm(mm, charged))
> > > goto abort_munmap;
> > > +
> > > vms.nr_accounted = 0;
> > > vm_flags |= VM_ACCOUNT;
> > > }
> > > --
> > > 2.43.0
> > >
> >
> > --
> > Kees Cook
--
Kees Cook
