From: Arnd Bergmann <arnd@kernel.org>
To: Heiko Carstens <hca@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Arnd Bergmann <arnd@arndb.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
Helge Deller <deller@gmx.de>,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Vasily Gorbik <gor@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
"David S. Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"the arch/x86 maintainers" <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Christoph Hellwig <hch@infradead.org>,
Feng Tang <feng.tang@intel.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
Parisc List <linux-parisc@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
linux-s390 <linux-s390@vger.kernel.org>,
sparclinux <sparclinux@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
Date: Fri, 30 Jul 2021 15:35:35 +0200 [thread overview]
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com> (raw)
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:
Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.
The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.
Arnd
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
if (clear_user((char __user *)mask + nbytes, copy - nbytes))
return -EFAULT;
copy = nbytes;
+ maxnode = nr_node_ids;
}
if (compat)
WARNING: multiple messages have this Message-ID (diff)
From: Arnd Bergmann <arnd@kernel.org>
To: Heiko Carstens <hca@linux.ibm.com>
Cc: Feng Tang <feng.tang@intel.com>,
"open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
Linux-MM <linux-mm@kvack.org>, Paul Mackerras <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>,
sparclinux <sparclinux@vger.kernel.org>,
Will Deacon <will@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
linux-s390 <linux-s390@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>, Helge Deller <deller@gmx.de>,
the arch/x86 maintainers <x86@kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Ingo Molnar <mingo@redhat.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Vasily Gorbik <gor@linux.ibm.com>, Borislav Petkov <bp@alien8.de>,
Al Viro <viro@zeniv.linux.org.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Parisc List <linux-parisc@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
Date: Fri, 30 Jul 2021 15:35:35 +0200 [thread overview]
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com> (raw)
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:
Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.
The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.
Arnd
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
if (clear_user((char __user *)mask + nbytes, copy - nbytes))
return -EFAULT;
copy = nbytes;
+ maxnode = nr_node_ids;
}
if (compat)
WARNING: multiple messages have this Message-ID (diff)
From: Arnd Bergmann <arnd@kernel.org>
To: Heiko Carstens <hca@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Arnd Bergmann <arnd@arndb.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
Helge Deller <deller@gmx.de>,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Vasily Gorbik <gor@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
"David S. Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"the arch/x86 maintainers" <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Christoph Hellwig <hch@infradead.org>,
Feng Tang <feng.tang@intel.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
Parisc List <linux-parisc@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
linux-s390 <linux-s390@vger.kernel.org>,
sparclinux <sparclinux@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
Date: Fri, 30 Jul 2021 15:35:35 +0200 [thread overview]
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com> (raw)
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:
Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.
The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.
Arnd
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
if (clear_user((char __user *)mask + nbytes, copy - nbytes))
return -EFAULT;
copy = nbytes;
+ maxnode = nr_node_ids;
}
if (compat)
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-07-30 13:36 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-27 14:48 [PATCH v5 0/6] compat: remove compat_alloc_user_space Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` [PATCH v5 1/6] kexec: move locking into do_kexec_load Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-28 16:09 ` Eric W. Biederman
2021-07-28 16:09 ` Eric W. Biederman
2021-07-28 16:09 ` Eric W. Biederman
2021-07-28 16:09 ` Eric W. Biederman
2021-07-27 14:48 ` [PATCH v5 2/6] kexec: avoid compat_alloc_user_space Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-28 16:10 ` Eric W. Biederman
2021-07-28 16:10 ` Eric W. Biederman
2021-07-28 16:10 ` Eric W. Biederman
2021-07-28 16:10 ` Eric W. Biederman
2021-07-27 14:48 ` [PATCH v5 3/6] mm: simplify compat_sys_move_pages Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` [PATCH v5 4/6] mm: simplify compat numa syscalls Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 17:27 ` Heiko Carstens
2021-07-27 17:27 ` Heiko Carstens
2021-07-27 17:27 ` Heiko Carstens
2021-07-27 17:40 ` Arnd Bergmann
2021-07-27 17:40 ` Arnd Bergmann
2021-07-27 17:40 ` Arnd Bergmann
2021-07-27 17:40 ` Arnd Bergmann
2021-07-27 18:38 ` Heiko Carstens
2021-07-27 18:38 ` Heiko Carstens
2021-07-27 18:38 ` Heiko Carstens
2021-07-27 18:49 ` Arnd Bergmann
2021-07-27 18:49 ` Arnd Bergmann
2021-07-27 18:49 ` Arnd Bergmann
2021-07-27 18:49 ` Arnd Bergmann
2021-07-27 19:15 ` Heiko Carstens
2021-07-27 19:15 ` Heiko Carstens
2021-07-27 19:15 ` Heiko Carstens
2021-07-27 14:48 ` [PATCH v5 5/6] compat: remove some compat entry points Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` [PATCH v5 6/6] arch: remove compat_alloc_user_space Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 14:48 ` Arnd Bergmann
2021-07-27 15:09 ` Christoph Hellwig
2021-07-27 15:09 ` Christoph Hellwig
2021-07-27 15:09 ` Christoph Hellwig
2021-07-27 14:59 ` [PATCH v5 0/6] compat: " Christoph Hellwig
2021-07-27 14:59 ` Christoph Hellwig
2021-07-27 14:59 ` Christoph Hellwig
2021-07-27 20:10 ` Andrew Morton
2021-07-27 20:10 ` Andrew Morton
2021-07-27 20:10 ` Andrew Morton
2021-07-27 20:42 ` Arnd Bergmann
2021-07-27 20:42 ` Arnd Bergmann
2021-07-27 20:42 ` Arnd Bergmann
2021-07-27 20:42 ` Arnd Bergmann
2021-07-30 9:49 ` Heiko Carstens
2021-07-30 9:49 ` Heiko Carstens
2021-07-30 9:49 ` Heiko Carstens
2021-07-30 13:35 ` Arnd Bergmann [this message]
2021-07-30 13:35 ` Arnd Bergmann
2021-07-30 13:35 ` Arnd Bergmann
2021-07-30 13:35 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com \
--to=arnd@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=borntraeger@de.ibm.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=ebiederm@xmission.com \
--cc=feng.tang@intel.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=sparclinux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tsbogend@alpha.franken.de \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.