Re: [PATCH] Revert "selinux: use vma_is_initial_stack() and vma_is_initial_heap()"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 8, 2024 at 11:48 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Thu, Aug 8, 2024 at 9:40 AM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > On Thu, Aug 8, 2024 at 9:09 AM Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> wrote:
> > >
> > > This reverts commit 68df1baf158fddc07b6f0333e4c81fe1ccecd6ff.
> > >
> > > The selinux only want to check whether the VMA range is within the heap
> > > range or not, but vma_is_initial_heap() helper will check the intersection
> > > between the two ranges, which leads to some issue, let's turn back to the
> > > original validation.
> > >
> > > Reported-by: Marc Reisner <reisner.marc@xxxxxxxxx>
> > > Closes: https://lore.kernel.org/all/ZrPmoLKJEf1wiFmM@xxxxxxxxxxxxxxx/
> > > Fixes: 68df1baf158f ("selinux: use vma_is_initial_stack() and vma_is_initial_heap()")
> > > Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
> >
> > I was only going to recommend reverting the change to the heap check
> > but in case Paul is fine with a straight revert,
> > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
>
> I was hoping that the mm folks would put together a quick patch to fix
> what looks like a problem with the helper, but I'm not sure when that
> is going to happen and with other callers I don't want to change the
> helper and break a different part of the kernel.  Unfortunately that
> leaves us with needing a revert, but like Stephen said, I think
> reverting just the heap helper is the right thing to do right now; I
> also want to put a comment in there for the next time someone tries to
> re-add the vma_is_initial_heap().  Give me some time, I'll have a
> patch out for this later today.

FWIW, I tossed the reproducer code from Marc Reisner into a branch of
the SELinux testsuite and wrapped it up with an added test to the mmap
tests here:
https://github.com/stephensmalley/selinux-testsuite/tree/execheapregression

Passes with the revert, fails without.
Would need to be modified to be portable to actually be suitable for
inclusion though.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux