All of lore.kernel.org
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@kernel.org>
To: Roman Penyaev <rpenyaev@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Andrey Ryabinin <aryabinin@virtuozzo.com>,
	Joe Perches <joe@perches.com>,
	"Luis R. Rodriguez" <mcgrof@kernel.org>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial()
Date: Fri, 4 Jan 2019 10:38:08 +0100	[thread overview]
Message-ID: <20190104093808.GJ31793@dhcp22.suse.cz> (raw)
In-Reply-To: <5502b64d6c508f5432386d2cfe999844@suse.de>

On Thu 03-01-19 21:31:58, Roman Penyaev wrote:
> On 2019-01-03 20:40, Michal Hocko wrote:
> > On Thu 03-01-19 20:27:26, Roman Penyaev wrote:
> > > On 2019-01-03 16:13, Michal Hocko wrote:
> > > > On Thu 03-01-19 15:59:52, Roman Penyaev wrote:
> > > > > area->size can include adjacent guard page but get_vm_area_size()
> > > > > returns actual size of the area.
> > > > >
> > > > > This fixes possible kernel crash when userspace tries to map area
> > > > > on 1 page bigger: size check passes but the following
> > > > > vmalloc_to_page()
> > > > > returns NULL on last guard (non-existing) page.
> > > >
> > > > Can this actually happen? I am not really familiar with all the callers
> > > > of this API but VM_NO_GUARD is not really used wildly in the kernel.
> > > 
> > > Exactly, by default (VM_NO_GUARD is not set) each area has guard page,
> > > thus the area->size will be bigger.  The bug is not reproduced if
> > > VM_NO_GUARD is set.
> > > 
> > > > All I can see is kasan na arm64 which doesn't really seem to use it
> > > > for vmalloc.
> > > >
> > > > So is the problem real or this is a mere cleanup?
> > > 
> > > This is the real problem, try this hunk for any file descriptor which
> > > provides
> > > mapping, or say modify epoll as example:
> > 
> > OK, my response was more confusing than I intended. I meant to say. Is
> > there any in kernel code that would allow the bug have had in mind?
> > In other words can userspace trick any existing code?
> 
> In theory any existing caller of remap_vmalloc_range() which does
> not have an explicit size check should trigger an oops, e.g. this is
> a good candidate:
> 
> *** drivers/media/usb/stkwebcam/stk-webcam.c:
> v4l_stk_mmap[789]              ret = remap_vmalloc_range(vma, sbuf->buffer,
> 0);

Hmm, sbuf->buffer is allocated in stk_setup_siobuf to have
buf->v4lbuf.length. mmap callback maps this buffer to the vma size and
that is indeed not enforced to be <= length AFAICS. So you are right!

Can we have an example in the changelog please?

Thanks!
-- 
Michal Hocko
SUSE Labs

  reply	other threads:[~2019-01-04  9:38 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-03 14:59 [PATCH 0/3] mm/vmalloc: fix size check and few cleanups Roman Penyaev
2019-01-03 14:59 ` Roman Penyaev
2019-01-03 14:59 ` [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial() Roman Penyaev
2019-01-03 14:59   ` Roman Penyaev
2019-01-03 15:13   ` Michal Hocko
2019-01-03 19:27     ` Roman Penyaev
2019-01-03 19:40       ` Michal Hocko
2019-01-03 20:31         ` Roman Penyaev
2019-01-04  9:38           ` Michal Hocko [this message]
2019-01-04 10:21             ` Roman Penyaev
2019-01-04 10:28               ` Michal Hocko
2019-01-03 19:59   ` Michal Hocko
2019-01-04 11:06   ` Roman Penyaev
2019-01-11 19:19   ` Andrey Ryabinin
2019-01-03 14:59 ` [PATCH 2/3] mm/vmalloc: do not call kmemleak_free() on not yet accounted memory Roman Penyaev
2019-01-03 14:59   ` Roman Penyaev
2019-01-11 19:26   ` Andrey Ryabinin
2019-01-12 17:19     ` Roman Penyaev
2019-01-03 14:59 ` [PATCH 3/3] mm/vmalloc: pass VM_USERMAP flags directly to __vmalloc_node_range() Roman Penyaev
2019-01-03 14:59   ` Roman Penyaev
2019-01-03 15:23   ` Michal Hocko
2019-01-11 19:19   ` Andrey Ryabinin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190104093808.GJ31793@dhcp22.suse.cz \
    --to=mhocko@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=aryabinin@virtuozzo.com \
    --cc=joe@perches.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mcgrof@kernel.org \
    --cc=rpenyaev@suse.de \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.