Re: [PATCH v2] mmap: Fix do_brk_flags() modifying obviously incorrect VMAs

[Vlastimil Babka]

On 12/5/22 23:13, Vlastimil Babka wrote:
> On 12/5/22 22:55, Jann Horn wrote:
>> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
>>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@xxxxxxxxxx> wrote:
>>> > Add more sanity checks to the VMA that do_brk_flags() will expand.
>>> > Ensure the VMA matches basic merge requirements within the function
>>> > before calling can_vma_merge_after().
>>>
>>> I't unclear what's actually being fixed here.
>>>
>>> Why do you feel we need the above changes?
>>>
>>> > Drop the duplicate checks from vm_brk_flags() since they will be
>>> > enforced later.
>>> >
>>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
>>>
>>> Fixes in what way?  Removing the duplicate checks?
>> 
>> The old code would expand file VMAs on brk(), which is functionally
>> wrong and also dangerous in terms of locking because the brk() path
>> isn't designed for file VMAs and therefore doesn't lock the file
>> mapping. Checking can_vma_merge_after() ensures that new anonymous
>> VMAs can't be merged into file VMAs.
>> 
>> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@xxxxxxxxxxxxxx/

And yeah, that URL should have been a Link: in the patch. And the scenario
it's fixing described in a bit more detail?

> I guess the point is that if we fix it still within 6.1, we don't have to
> devise how exactly this is exploitable, but due to the insufficient locking
> it most likely is, right?