/* * mseal() disallows an input range which contain unmapped ranges (VMA holes). * * It disallows unmapped regions from start to end whether they exist at the * start, in the middle, or at the end of the range, or any combination thereof. * * This is because after sealng a range, there's nothing to stop memory mapping * of ranges in the remaining gaps later, meaning that the user might then * wrongly consider the entirety of the mseal()'d range to be sealed when it * in fact isn't.
*/
/* * Does the [start, end) range contain any unmapped memory? * * We ensure that: * - start is part of a valid VMA. * - end is part of a valid VMA. * - no gap (unallocated memory) exists between start and end.
*/ staticbool range_contains_unmapped(struct mm_struct *mm, unsignedlong start, unsignedlong end)
{ struct vm_area_struct *vma; unsignedlong prev_end = start;
VMA_ITERATOR(vmi, current->mm, start);
for_each_vma_range(vmi, vma, end) { if (vma->vm_start > prev_end) returntrue;
/* * mseal(2) seals the VM's meta data from * selected syscalls. * * addr/len: VM address range. * * The address range by addr/len must meet: * start (addr) must be in a valid VMA. * end (addr + len) must be in a valid VMA. * no gap (unallocated memory) between start and end. * start (addr) must be page aligned. * * len: len will be page aligned implicitly. * * Below VMA operations are blocked after sealing. * 1> Unmapping, moving to another location, and shrinking * the size, via munmap() and mremap(), can leave an empty * space, therefore can be replaced with a VMA with a new * set of attributes. * 2> Moving or expanding a different vma into the current location, * via mremap(). * 3> Modifying a VMA via mmap(MAP_FIXED). * 4> Size expansion, via mremap(), does not appear to pose any * specific risks to sealed VMAs. It is included anyway because * the use case is unclear. In any case, users can rely on * merging to expand a sealed VMA. * 5> mprotect and pkey_mprotect. * 6> Some destructive madvice() behavior (e.g. MADV_DONTNEED) * for anonymous memory, when users don't have write permission to the * memory. Those behaviors can alter region contents by discarding pages, * effectively a memset(0) for anonymous memory. * * flags: reserved. * * return values: * zero: success. * -EINVAL: * invalid input flags. * start address is not page aligned. * Address arange (start + len) overflow. * -ENOMEM: * addr is not a valid address (not allocated). * end (start + len) is not a valid address. * a gap (unallocated memory) between start and end. * -EPERM: * - In 32 bit architecture, sealing is not supported. * Note: * user can call mseal(2) multiple times, adding a seal on an * already sealed memory is a no-action (no error). * * unseal() is not supported.
*/ int do_mseal(unsignedlong start, size_t len_in, unsignedlong flags)
{
size_t len; int ret = 0; unsignedlong end; struct mm_struct *mm = current->mm;
/* Verify flags not set. */ if (flags) return -EINVAL;
start = untagged_addr(start); if (!PAGE_ALIGNED(start)) return -EINVAL;
len = PAGE_ALIGN(len_in); /* Check to see whether len was rounded up from small -ve to zero. */ if (len_in && !len) return -EINVAL;
end = start + len; if (end < start) return -EINVAL;
if (end == start) return 0;
if (mmap_write_lock_killable(mm)) return -EINTR;
if (range_contains_unmapped(mm, start, end)) {
ret = -ENOMEM; goto out;
}
/* * Second pass, this should success, unless there are errors * from vma_modify_flags, e.g. merge/split error, or process * reaching the max supported VMAs, however, those cases shall * be rare.
*/
ret = mseal_apply(mm, start, end);
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
