Re: [PATCH v8 2/3] mm: add a field to store names for private anonymous memory
From: Suren Baghdasaryan <surenb@google.com>
Date: 2021-08-28 21:48:02
Also in:
linux-fsdevel, linux-mm, lkml
On Fri, Aug 27, 2021 at 10:52 PM Kees Cook [off-list ref] wrote:
On Sat, Aug 28, 2021 at 02:47:03AM +0100, Matthew Wilcox wrote:quoted
On Fri, Aug 27, 2021 at 12:18:57PM -0700, Suren Baghdasaryan wrote:quoted
+ anon_name = vma_anon_name(vma); + if (anon_name) { + seq_pad(m, ' '); + seq_puts(m, "[anon:"); + seq_write(m, anon_name, strlen(anon_name)); + seq_putc(m, ']'); + }Maybe after seq_pad, use: seq_printf(m, "[anon:%s]", anon_name);
Good idea. Will change.
quoted
...quoted
+ case PR_SET_VMA_ANON_NAME: + name = strndup_user((const char __user *)arg, + ANON_VMA_NAME_MAX_LEN); + + if (IS_ERR(name)) + return PTR_ERR(name); + + for (pch = name; *pch != '\0'; pch++) { + if (!isprint(*pch)) { + kfree(name); + return -EINVAL;I think isprint() is too weak a check. For example, I would suggest forbidding the following characters: ':', ']', '[', ' '. Perhaps isalnum() would be better? (permit a-zA-Z0-9) I wouldn't necessarily be opposed to some punctuation characters, but let's avoid creating confusion. Do you happen to know which characters are actually in use today?There's some sense in refusing [, ], and :, but removing " " seems unhelpful for reasonable descriptors. As long as weird stuff is escaped, I think it's fine. Any parser can just extract with m|\[anon:(.*)\]$|
I see no issue in forbidding '[' and ']' but whitespace and ':' are currently used by Android. Would forbidding or escaping '[' and ']' be enough?
For example, just escape it here instead of refusing to take it. Something
like:
name = strndup_user((const char __user *)arg,
ANON_VMA_NAME_MAX_LEN);
escaped = kasprintf(GFP_KERNEL, "%pE", name);Did you mean "%*pE" as in https://www.kernel.org/doc/html/latest/core-api/printk-formats.html#raw-buffer-as-an-escaped-string ?
if (escaped) {
kfree(name);
return -ENOMEM;
}
kfree(name);
name = escaped;
--
Kees Cook