From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>,
linux-mm@kvack.org, linux-hardening@vger.kernel.org,
William Kucharski <william.kucharski@oracle.com>
Subject: [PATCH v4 2/4] mm/usercopy: Detect vmalloc overruns
Date: Thu, 16 Dec 2021 21:53:49 +0000 [thread overview]
Message-ID: <20211216215351.3811471-3-willy@infradead.org> (raw)
In-Reply-To: <20211216215351.3811471-1-willy@infradead.org>
If you have a vmalloc() allocation, or an address from calling vmap(),
you cannot overrun the vm_area which describes it, regardless of the
size of the underlying allocation. This probably doesn't do much for
security because vmalloc comes with guard pages these days, but it
prevents usercopy aborts when copying to a vmap() of smaller pages.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
---
mm/usercopy.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/mm/usercopy.c b/mm/usercopy.c
index 8c039302465f..63476e1506e0 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -17,6 +17,7 @@
#include <linux/sched/task.h>
#include <linux/sched/task_stack.h>
#include <linux/thread_info.h>
+#include <linux/vmalloc.h>
#include <linux/atomic.h>
#include <linux/jump_label.h>
#include <asm/sections.h>
@@ -237,6 +238,21 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
return;
}
+ if (is_vmalloc_addr(ptr)) {
+ struct vm_struct *vm = find_vm_area(ptr);
+ unsigned long offset;
+
+ if (!vm) {
+ usercopy_abort("vmalloc", "no area", to_user, 0, n);
+ return;
+ }
+
+ offset = ptr - vm->addr;
+ if (offset + n > vm->size)
+ usercopy_abort("vmalloc", NULL, to_user, offset, n);
+ return;
+ }
+
page = virt_to_head_page(ptr);
if (PageSlab(page)) {
--
2.33.0
next prev parent reply other threads:[~2021-12-16 21:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 21:53 [PATCH v4 0/4] Assorted improvements to usercopy Matthew Wilcox (Oracle)
2021-12-16 21:53 ` [PATCH v4 1/4] mm/usercopy: Check kmap addresses properly Matthew Wilcox (Oracle)
2021-12-16 21:53 ` Matthew Wilcox (Oracle) [this message]
2021-12-17 13:07 ` [PATCH v4 2/4] mm/usercopy: Detect vmalloc overruns Mark Hemment
2021-12-16 21:53 ` [PATCH v4 3/4] mm/usercopy: Detect compound page overruns Matthew Wilcox (Oracle)
2021-12-16 21:53 ` [PATCH v4 4/4] usercopy: Remove HARDENED_USERCOPY_PAGESPAN Matthew Wilcox (Oracle)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211216215351.3811471-3-willy@infradead.org \
--to=willy@infradead.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=william.kucharski@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.