On Thu, Aug 8, 2024 at 2:54 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Thu, Aug 8, 2024 at 11:48 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Thu, Aug 8, 2024 at 9:40 AM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > On Thu, Aug 8, 2024 at 9:09 AM Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> wrote: > > > > > > > > This reverts commit 68df1baf158fddc07b6f0333e4c81fe1ccecd6ff. > > > > > > > > The selinux only want to check whether the VMA range is within the heap > > > > range or not, but vma_is_initial_heap() helper will check the intersection > > > > between the two ranges, which leads to some issue, let's turn back to the > > > > original validation. > > > > > > > > Reported-by: Marc Reisner <reisner.marc@xxxxxxxxx> > > > > Closes: https://lore.kernel.org/all/ZrPmoLKJEf1wiFmM@xxxxxxxxxxxxxxx/ > > > > Fixes: 68df1baf158f ("selinux: use vma_is_initial_stack() and vma_is_initial_heap()") > > > > Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> > > > > > > I was only going to recommend reverting the change to the heap check > > > but in case Paul is fine with a straight revert, > > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > > I was hoping that the mm folks would put together a quick patch to fix > > what looks like a problem with the helper, but I'm not sure when that > > is going to happen and with other callers I don't want to change the > > helper and break a different part of the kernel. Unfortunately that > > leaves us with needing a revert, but like Stephen said, I think > > reverting just the heap helper is the right thing to do right now; I > > also want to put a comment in there for the next time someone tries to > > re-add the vma_is_initial_heap(). Give me some time, I'll have a > > patch out for this later today. > > FWIW, I tossed the reproducer code from Marc Reisner into a branch of > the SELinux testsuite and wrapped it up with an added test to the mmap > tests here: > https://github.com/stephensmalley/selinux-testsuite/tree/execheapregression > > Passes with the revert, fails without. > Would need to be modified to be portable to actually be suitable for > inclusion though. Thanks Stephen. FWIW, I think improving this test such that it could be included in the test suite would be a very good thing to do. -- paul-moore.com
