From: Kefeng Wang <wangkefeng.wang@huawei.com>
To: <linuxppc-dev@lists.ozlabs.org>, <mpe@ellerman.id.au>,
<benh@kernel.crashing.or>, <paulus@samba.org>,
<linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>
Cc: <akpm@linux-foundation.org>, <npiggin@gmail.com>,
<christophe.leroy@csgroup.eu>, <songyuanzheng@huawei.com>,
Kefeng Wang <wangkefeng.wang@huawei.com>
Subject: [PATCH v4 2/2] powerpc: Fix virt_addr_valid() check
Date: Wed, 16 Feb 2022 20:11:08 +0800 [thread overview]
Message-ID: <20220216121109.157605-2-wangkefeng.wang@huawei.com> (raw)
In-Reply-To: <20220216121109.157605-1-wangkefeng.wang@huawei.com>
When run ethtool eth0 on PowerPC64, the BUG occurred,
usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)!
kernel BUG at mm/usercopy.c:99
...
usercopy_abort+0x64/0xa0 (unreliable)
__check_heap_object+0x168/0x190
__check_object_size+0x1a0/0x200
dev_ethtool+0x2494/0x2b20
dev_ioctl+0x5d0/0x770
sock_do_ioctl+0xf0/0x1d0
sock_ioctl+0x3ec/0x5a0
__se_sys_ioctl+0xf0/0x160
system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200
The code shows below,
data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))
The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true
on PowerPC64, which leads to the panic.
As commit 4dd7554a6456 ("powerpc/64: Add VIRTUAL_BUG_ON checks for __va
and __pa addresses") does, make sure the virt addr above PAGE_OFFSET in
the virt_addr_valid() for PowerPC64, also add upper limit check to make
sure the virt is below high_memory.
Meanwhile, for PowerPC32 PAGE_OFFSET is the virtual address of the start
of lowmem, high_memory is the upper low virtual address, the check is
suitable for PowerPC32, this will fix the issue mentioned in commit
602946ec2f90 ("powerpc: Set max_mapnr correctly") too.
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
---
v4:
- add upper limit check
v3:
- update changelog and remove a redundant cast
arch/powerpc/include/asm/page.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
index 254687258f42..7a1ba27a7285 100644
--- a/arch/powerpc/include/asm/page.h
+++ b/arch/powerpc/include/asm/page.h
@@ -132,7 +132,11 @@ static inline bool pfn_valid(unsigned long pfn)
#define virt_to_page(kaddr) pfn_to_page(virt_to_pfn(kaddr))
#define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT)
-#define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr))
+#define virt_addr_valid(vaddr) ({ \
+ unsigned long _addr = (unsigned long)vaddr; \
+ _addr >= PAGE_OFFSET && _addr < (unsigned long)high_memory && \
+ pfn_valid(virt_to_pfn(_addr)); \
+})
/*
* On Book-E parts we need __va to parse the device tree and we can't
--
2.26.2
WARNING: multiple messages have this Message-ID (diff)
From: Kefeng Wang <wangkefeng.wang@huawei.com>
To: <linuxppc-dev@lists.ozlabs.org>, <mpe@ellerman.id.au>,
<benh@kernel.crashing.or>, <paulus@samba.org>,
<linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>
Cc: akpm@linux-foundation.org, songyuanzheng@huawei.com,
npiggin@gmail.com, Kefeng Wang <wangkefeng.wang@huawei.com>
Subject: [PATCH v4 2/2] powerpc: Fix virt_addr_valid() check
Date: Wed, 16 Feb 2022 20:11:08 +0800 [thread overview]
Message-ID: <20220216121109.157605-2-wangkefeng.wang@huawei.com> (raw)
In-Reply-To: <20220216121109.157605-1-wangkefeng.wang@huawei.com>
When run ethtool eth0 on PowerPC64, the BUG occurred,
usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)!
kernel BUG at mm/usercopy.c:99
...
usercopy_abort+0x64/0xa0 (unreliable)
__check_heap_object+0x168/0x190
__check_object_size+0x1a0/0x200
dev_ethtool+0x2494/0x2b20
dev_ioctl+0x5d0/0x770
sock_do_ioctl+0xf0/0x1d0
sock_ioctl+0x3ec/0x5a0
__se_sys_ioctl+0xf0/0x160
system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200
The code shows below,
data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))
The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true
on PowerPC64, which leads to the panic.
As commit 4dd7554a6456 ("powerpc/64: Add VIRTUAL_BUG_ON checks for __va
and __pa addresses") does, make sure the virt addr above PAGE_OFFSET in
the virt_addr_valid() for PowerPC64, also add upper limit check to make
sure the virt is below high_memory.
Meanwhile, for PowerPC32 PAGE_OFFSET is the virtual address of the start
of lowmem, high_memory is the upper low virtual address, the check is
suitable for PowerPC32, this will fix the issue mentioned in commit
602946ec2f90 ("powerpc: Set max_mapnr correctly") too.
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
---
v4:
- add upper limit check
v3:
- update changelog and remove a redundant cast
arch/powerpc/include/asm/page.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
index 254687258f42..7a1ba27a7285 100644
--- a/arch/powerpc/include/asm/page.h
+++ b/arch/powerpc/include/asm/page.h
@@ -132,7 +132,11 @@ static inline bool pfn_valid(unsigned long pfn)
#define virt_to_page(kaddr) pfn_to_page(virt_to_pfn(kaddr))
#define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT)
-#define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr))
+#define virt_addr_valid(vaddr) ({ \
+ unsigned long _addr = (unsigned long)vaddr; \
+ _addr >= PAGE_OFFSET && _addr < (unsigned long)high_memory && \
+ pfn_valid(virt_to_pfn(_addr)); \
+})
/*
* On Book-E parts we need __va to parse the device tree and we can't
--
2.26.2
next prev parent reply other threads:[~2022-02-16 11:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-16 12:11 [PATCH v4 1/2] Revert "powerpc: Set max_mapnr correctly" Kefeng Wang
2022-02-16 12:11 ` Kefeng Wang
2022-02-16 12:11 ` Kefeng Wang [this message]
2022-02-16 12:11 ` [PATCH v4 2/2] powerpc: Fix virt_addr_valid() check Kefeng Wang
2022-03-09 16:01 ` [v4,2/2] " Christophe Leroy
2022-03-09 16:00 ` [v4,1/2] Revert "powerpc: Set max_mapnr correctly" Christophe Leroy
2022-03-26 7:55 ` [PATCH v4 1/2] " Kefeng Wang
2022-03-26 7:55 ` Kefeng Wang
2022-03-28 10:37 ` Michael Ellerman
2022-03-28 10:37 ` Michael Ellerman
2022-03-28 10:59 ` Christophe Leroy
2022-03-28 10:59 ` Christophe Leroy
2022-04-01 11:23 ` Michael Ellerman
2022-04-01 11:23 ` Michael Ellerman
2022-04-01 12:07 ` Christophe Leroy
2022-04-01 12:07 ` Christophe Leroy
2022-03-28 14:12 ` Christophe Leroy
2022-03-28 14:12 ` Christophe Leroy
2022-03-29 11:32 ` Kefeng Wang
2022-03-29 11:32 ` Kefeng Wang
2022-04-04 12:31 ` Michael Ellerman
2022-04-04 12:31 ` Michael Ellerman
2022-04-06 2:21 ` Kefeng Wang
2022-04-06 2:21 ` Kefeng Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220216121109.157605-2-wangkefeng.wang@huawei.com \
--to=wangkefeng.wang@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=benh@kernel.crashing.or \
--cc=christophe.leroy@csgroup.eu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=paulus@samba.org \
--cc=songyuanzheng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.