From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-parisc-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1AFC3C4338F
	for <linux-parisc@archiver.kernel.org>; Fri, 30 Jul 2021 13:36:06 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 02B4260EFF
	for <linux-parisc@archiver.kernel.org>; Fri, 30 Jul 2021 13:36:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238979AbhG3NgJ (ORCPT <rfc822;linux-parisc@archiver.kernel.org>);
        Fri, 30 Jul 2021 09:36:09 -0400
Received: from mail.kernel.org ([198.145.29.99]:40744 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S238971AbhG3NgI (ORCPT <rfc822;linux-parisc@vger.kernel.org>);
        Fri, 30 Jul 2021 09:36:08 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 3016C60F5C;
        Fri, 30 Jul 2021 13:36:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1627652164;
        bh=Kxc+WnvFkFgpyTYYCMg+FHtM463+Ta69Z65pcvFy+nw=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=ho38LvuKv74hab1fk9TeMpOaOP6S+B8D6La1ytammZe5husN2Sln3hk0b/jsKKSP0
         Oz9B9qEtRAk1vmf+xAbnGmmd1qGPrQ9eU9guuq08fEy1thlwKJFnvdr7w53exlPS5B
         k3IeKepk+++IJ/FD/tQwIU77xPc6BY7A8E0E/yzZnR1X6UFUVaRYVOX9RitafiYcbV
         bib44KzdYE0lqK4kU4CYw8St0cKpzFa5VucXQ9aczPK2DoLoAKfefZLGOIjmQj1Tqw
         GMjjZmvtivOvJ8j07Wxuk3EZcIC+y0tVdQ6NY50ImRhnD1JcDVSgsJHoIXs89/F/p8
         Jl4YG45FZpqUg==
Received: by mail-ej1-f45.google.com with SMTP id e19so16854416ejs.9;
        Fri, 30 Jul 2021 06:36:04 -0700 (PDT)
X-Gm-Message-State: AOAM530U5TA7H9peY0mh8WKWGEoKFFky28NbbltMa8POY+az9yFOBLuP
        WuZNzjyeFFrLKF3kncT4pX//6+imT7nXEpC2Eu4=
X-Google-Smtp-Source: ABdhPJwuftgxHedyhF9ABjFcX5ntB4hnZJtnEQD3qNPIiKJ5o00xy/u2gbz8S8h+EITSt2YoA2WUUAyPzv0cemOlwyo=
X-Received: by 2002:adf:fd90:: with SMTP id d16mr3288984wrr.105.1627652152412;
 Fri, 30 Jul 2021 06:35:52 -0700 (PDT)
MIME-Version: 1.0
References: <20210727144859.4150043-1-arnd@kernel.org> <YQPLG20V3dmOfq3a@osiris>
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
From:   Arnd Bergmann <arnd@kernel.org>
Date:   Fri, 30 Jul 2021 15:35:35 +0200
X-Gmail-Original-Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
To:     Heiko Carstens <hca@linux.ibm.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>,
        Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
        "James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
        Helge Deller <deller@gmx.de>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Benjamin Herrenschmidt <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Christian Borntraeger <borntraeger@de.ibm.com>,
        "David S. Miller" <davem@davemloft.net>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Christoph Hellwig <hch@infradead.org>,
        Feng Tang <feng.tang@intel.com>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
        Parisc List <linux-parisc@vger.kernel.org>,
        linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
        linux-s390 <linux-s390@vger.kernel.org>,
        sparclinux <sparclinux@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-parisc.vger.kernel.org>
X-Mailing-List: linux-parisc@vger.kernel.org

On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:

Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.

The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.

        Arnd

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
                if (clear_user((char __user *)mask + nbytes, copy - nbytes))
                        return -EFAULT;
                copy = nbytes;
+               maxnode = nr_node_ids;
        }

        if (compat)

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=dxsS=MW=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 35281C43216
	for <linux-mm@archiver.kernel.org>; Fri, 30 Jul 2021 13:36:07 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 980B060F94
	for <linux-mm@archiver.kernel.org>; Fri, 30 Jul 2021 13:36:06 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 980B060F94
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id E5B5A8D0002; Fri, 30 Jul 2021 09:36:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E32AC8D0001; Fri, 30 Jul 2021 09:36:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D48FD8D0002; Fri, 30 Jul 2021 09:36:05 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0204.hostedemail.com [216.40.44.204])
	by kanga.kvack.org (Postfix) with ESMTP id B89898D0001
	for <linux-mm@kvack.org>; Fri, 30 Jul 2021 09:36:05 -0400 (EDT)
Received: from smtpin38.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 4C77F181A47E9
	for <linux-mm@kvack.org>; Fri, 30 Jul 2021 13:36:05 +0000 (UTC)
X-FDA: 78419352690.38.72BD986
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf02.hostedemail.com (Postfix) with ESMTP id E536C70038CD
	for <linux-mm@kvack.org>; Fri, 30 Jul 2021 13:36:04 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0090D60EFF
	for <linux-mm@kvack.org>; Fri, 30 Jul 2021 13:36:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1627652164;
	bh=Kxc+WnvFkFgpyTYYCMg+FHtM463+Ta69Z65pcvFy+nw=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=ho38LvuKv74hab1fk9TeMpOaOP6S+B8D6La1ytammZe5husN2Sln3hk0b/jsKKSP0
	 Oz9B9qEtRAk1vmf+xAbnGmmd1qGPrQ9eU9guuq08fEy1thlwKJFnvdr7w53exlPS5B
	 k3IeKepk+++IJ/FD/tQwIU77xPc6BY7A8E0E/yzZnR1X6UFUVaRYVOX9RitafiYcbV
	 bib44KzdYE0lqK4kU4CYw8St0cKpzFa5VucXQ9aczPK2DoLoAKfefZLGOIjmQj1Tqw
	 GMjjZmvtivOvJ8j07Wxuk3EZcIC+y0tVdQ6NY50ImRhnD1JcDVSgsJHoIXs89/F/p8
	 Jl4YG45FZpqUg==
Received: by mail-wr1-f43.google.com with SMTP id m12so6574144wru.12
        for <linux-mm@kvack.org>; Fri, 30 Jul 2021 06:36:03 -0700 (PDT)
X-Gm-Message-State: AOAM531IVa6Vtn+3Yff4kea3EQn0+Vb8+rEz6Bj46+1s3kyH1OwDFlX6
	28zKfs1a+6dTIsPsC+bLix5O4d+tiMGF9cMGLY8=
X-Google-Smtp-Source: ABdhPJwuftgxHedyhF9ABjFcX5ntB4hnZJtnEQD3qNPIiKJ5o00xy/u2gbz8S8h+EITSt2YoA2WUUAyPzv0cemOlwyo=
X-Received: by 2002:adf:fd90:: with SMTP id d16mr3288984wrr.105.1627652152412;
 Fri, 30 Jul 2021 06:35:52 -0700 (PDT)
MIME-Version: 1.0
References: <20210727144859.4150043-1-arnd@kernel.org> <YQPLG20V3dmOfq3a@osiris>
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
From: Arnd Bergmann <arnd@kernel.org>
Date: Fri, 30 Jul 2021 15:35:35 +0200
X-Gmail-Original-Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
To: Heiko Carstens <hca@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Arnd Bergmann <arnd@arndb.de>, 
	Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, 
	Thomas Bogendoerfer <tsbogend@alpha.franken.de>, 
	"James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>, Helge Deller <deller@gmx.de>, 
	Michael Ellerman <mpe@ellerman.id.au>, Benjamin Herrenschmidt <benh@kernel.crashing.org>, 
	Paul Mackerras <paulus@samba.org>, Vasily Gorbik <gor@linux.ibm.com>, 
	Christian Borntraeger <borntraeger@de.ibm.com>, "David S. Miller" <davem@davemloft.net>, 
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, 
	"the arch/x86 maintainers" <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>, Al Viro <viro@zeniv.linux.org.uk>, 
	"Eric W. Biederman" <ebiederm@xmission.com>, Christoph Hellwig <hch@infradead.org>, 
	Feng Tang <feng.tang@intel.com>, Linux ARM <linux-arm-kernel@lists.infradead.org>, 
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, 
	"open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>, Parisc List <linux-parisc@vger.kernel.org>, 
	linuxppc-dev <linuxppc-dev@lists.ozlabs.org>, linux-s390 <linux-s390@vger.kernel.org>, 
	sparclinux <sparclinux@vger.kernel.org>, linux-arch <linux-arch@vger.kernel.org>, 
	Linux API <linux-api@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
Authentication-Results: imf02.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=ho38LvuK;
	spf=pass (imf02.hostedemail.com: domain of arnd@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=arnd@kernel.org;
	dmarc=pass (policy=none) header.from=kernel.org
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: E536C70038CD
X-Stat-Signature: 5u6ngbbo3byqcgbx8aehbrop5snurged
X-HE-Tag: 1627652164-442381
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:

Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.

The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.

        Arnd

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
                if (clear_user((char __user *)mask + nbytes, copy - nbytes))
                        return -EFAULT;
                copy = nbytes;
+               maxnode = nr_node_ids;
        }

        if (compat)


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=lRG+=MW=lists.ozlabs.org=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9A8ECC4338F
	for <linuxppc-dev@archiver.kernel.org>; Fri, 30 Jul 2021 13:36:38 +0000 (UTC)
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id DA22660F5C
	for <linuxppc-dev@archiver.kernel.org>; Fri, 30 Jul 2021 13:36:37 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org DA22660F5C
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.ozlabs.org
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GbpMm2kBWz3d6c
	for <linuxppc-dev@archiver.kernel.org>; Fri, 30 Jul 2021 23:36:36 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=ho38LvuK;
	dkim-atps=neutral
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=kernel.org (client-ip=198.145.29.99; helo=mail.kernel.org;
 envelope-from=arnd@kernel.org; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256
 header.s=k20201202 header.b=ho38LvuK; 
 dkim-atps=neutral
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GbpMC5lvyz2yxx
 for <linuxppc-dev@lists.ozlabs.org>; Fri, 30 Jul 2021 23:36:07 +1000 (AEST)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 6FB9460F4A
 for <linuxppc-dev@lists.ozlabs.org>; Fri, 30 Jul 2021 13:36:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1627652164;
 bh=Kxc+WnvFkFgpyTYYCMg+FHtM463+Ta69Z65pcvFy+nw=;
 h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
 b=ho38LvuKv74hab1fk9TeMpOaOP6S+B8D6La1ytammZe5husN2Sln3hk0b/jsKKSP0
 Oz9B9qEtRAk1vmf+xAbnGmmd1qGPrQ9eU9guuq08fEy1thlwKJFnvdr7w53exlPS5B
 k3IeKepk+++IJ/FD/tQwIU77xPc6BY7A8E0E/yzZnR1X6UFUVaRYVOX9RitafiYcbV
 bib44KzdYE0lqK4kU4CYw8St0cKpzFa5VucXQ9aczPK2DoLoAKfefZLGOIjmQj1Tqw
 GMjjZmvtivOvJ8j07Wxuk3EZcIC+y0tVdQ6NY50ImRhnD1JcDVSgsJHoIXs89/F/p8
 Jl4YG45FZpqUg==
Received: by mail-lj1-f178.google.com with SMTP id e5so12407957ljp.6
 for <linuxppc-dev@lists.ozlabs.org>; Fri, 30 Jul 2021 06:36:04 -0700 (PDT)
X-Gm-Message-State: AOAM5327GLQOPTGJSl+xxb9Hi1DjynJkFsXAWUyhoQtcPhzgiQ+bi8oJ
 hQ5qdFci7tEe70vldqbfTQli5lBopGzFZ3Y9SYk=
X-Google-Smtp-Source: ABdhPJwuftgxHedyhF9ABjFcX5ntB4hnZJtnEQD3qNPIiKJ5o00xy/u2gbz8S8h+EITSt2YoA2WUUAyPzv0cemOlwyo=
X-Received: by 2002:adf:fd90:: with SMTP id d16mr3288984wrr.105.1627652152412; 
 Fri, 30 Jul 2021 06:35:52 -0700 (PDT)
MIME-Version: 1.0
References: <20210727144859.4150043-1-arnd@kernel.org>
 <YQPLG20V3dmOfq3a@osiris>
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
From: Arnd Bergmann <arnd@kernel.org>
Date: Fri, 30 Jul 2021 15:35:35 +0200
X-Gmail-Original-Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
To: Heiko Carstens <hca@linux.ibm.com>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: linuxppc-dev@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Linux on PowerPC Developers Mail List <linuxppc-dev.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/linuxppc-dev>,
 <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/linuxppc-dev/>
List-Post: <mailto:linuxppc-dev@lists.ozlabs.org>
List-Help: <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/linuxppc-dev>,
 <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=subscribe>
Cc: Feng Tang <feng.tang@intel.com>,
 "open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
 "James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
 Linux-MM <linux-mm@kvack.org>, Paul Mackerras <paulus@samba.org>,
 "H. Peter Anvin" <hpa@zytor.com>, sparclinux <sparclinux@vger.kernel.org>,
 Will Deacon <will@kernel.org>, linux-arch <linux-arch@vger.kernel.org>,
 linux-s390 <linux-s390@vger.kernel.org>, Arnd Bergmann <arnd@arndb.de>,
 Helge Deller <deller@gmx.de>, the arch/x86 maintainers <x86@kernel.org>,
 Christoph Hellwig <hch@infradead.org>,
 Christian Borntraeger <borntraeger@de.ibm.com>, Ingo Molnar <mingo@redhat.com>,
 Catalin Marinas <catalin.marinas@arm.com>, Vasily Gorbik <gor@linux.ibm.com>,
 Borislav Petkov <bp@alien8.de>, Al Viro <viro@zeniv.linux.org.uk>,
 Thomas Gleixner <tglx@linutronix.de>,
 Linux ARM <linux-arm-kernel@lists.infradead.org>,
 Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
 Parisc List <linux-parisc@vger.kernel.org>,
 Linux API <linux-api@vger.kernel.org>,
 Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
 "Eric W. Biederman" <ebiederm@xmission.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
 "David S. Miller" <davem@davemloft.net>
Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
 <linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org>

On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:

Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.

The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.

        Arnd

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
                if (clear_user((char __user *)mask + nbytes, copy - nbytes))
                        return -EFAULT;
                copy = nbytes;
+               maxnode = nr_node_ids;
        }

        if (compat)

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=BD2L=MW=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5F06FC4338F
	for <linux-arm-kernel@archiver.kernel.org>; Fri, 30 Jul 2021 13:38:15 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 18E7F60EFF
	for <linux-arm-kernel@archiver.kernel.org>; Fri, 30 Jul 2021 13:38:13 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 18E7F60EFF
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From:
	In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=Y+zpxXXkvndRFL+dHtqiE5Ab6mOA5rcS7L4ZOh2v4EU=; b=dUGWw1Z+aAZV9u
	XftJfCbFgJTCci0bh93uCMnSKtS30hFJfECABwefZWeFaobVhCFmrW+y1vChsZqdnKv8uiYP2g5cm
	M2sjah56RL3zX65DfZ5zxWUDGq/wzjbk7ecRaWP4XVRsxaBghMo8W413Bpb4FEvIfmIS8y17t8m6B
	IwAjQDdUJJKaZr0E4gNqjQ2PUkmS9hMD9IODJkuLsfs33Tq8XOWPYjbtHwtUskzIechkgk9QOTxNW
	GC81g0ZhKkedx8li3buKQHsjizpK3vXQa6Jd++3fBU39Kjw2duf9ljfv4ACMlUFXkxY2iaqj7veDh
	k5MwkEUTBFeYcbB0nwQg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1m9SgK-008nip-6P; Fri, 30 Jul 2021 13:36:08 +0000
Received: from mail.kernel.org ([198.145.29.99])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1m9SgG-008nhu-Hg
 for linux-arm-kernel@lists.infradead.org; Fri, 30 Jul 2021 13:36:05 +0000
Received: by mail.kernel.org (Postfix) with ESMTPSA id 4090260F94
 for <linux-arm-kernel@lists.infradead.org>;
 Fri, 30 Jul 2021 13:36:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1627652164;
 bh=Kxc+WnvFkFgpyTYYCMg+FHtM463+Ta69Z65pcvFy+nw=;
 h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
 b=ho38LvuKv74hab1fk9TeMpOaOP6S+B8D6La1ytammZe5husN2Sln3hk0b/jsKKSP0
 Oz9B9qEtRAk1vmf+xAbnGmmd1qGPrQ9eU9guuq08fEy1thlwKJFnvdr7w53exlPS5B
 k3IeKepk+++IJ/FD/tQwIU77xPc6BY7A8E0E/yzZnR1X6UFUVaRYVOX9RitafiYcbV
 bib44KzdYE0lqK4kU4CYw8St0cKpzFa5VucXQ9aczPK2DoLoAKfefZLGOIjmQj1Tqw
 GMjjZmvtivOvJ8j07Wxuk3EZcIC+y0tVdQ6NY50ImRhnD1JcDVSgsJHoIXs89/F/p8
 Jl4YG45FZpqUg==
Received: by mail-wr1-f52.google.com with SMTP id b13so499256wrs.3
 for <linux-arm-kernel@lists.infradead.org>;
 Fri, 30 Jul 2021 06:36:04 -0700 (PDT)
X-Gm-Message-State: AOAM530ZSod+QCNHADf6ihuoivnhOwflrhl8nkcqMUkgLbZPIL+g7p+D
 VoETMf9PSX4/1dwNcNkc0YsHUN8kcE4zcWhRPwE=
X-Google-Smtp-Source: ABdhPJwuftgxHedyhF9ABjFcX5ntB4hnZJtnEQD3qNPIiKJ5o00xy/u2gbz8S8h+EITSt2YoA2WUUAyPzv0cemOlwyo=
X-Received: by 2002:adf:fd90:: with SMTP id d16mr3288984wrr.105.1627652152412; 
 Fri, 30 Jul 2021 06:35:52 -0700 (PDT)
MIME-Version: 1.0
References: <20210727144859.4150043-1-arnd@kernel.org>
 <YQPLG20V3dmOfq3a@osiris>
In-Reply-To: <YQPLG20V3dmOfq3a@osiris>
From: Arnd Bergmann <arnd@kernel.org>
Date: Fri, 30 Jul 2021 15:35:35 +0200
X-Gmail-Original-Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Message-ID: <CAK8P3a0YV0UVsui67WE4LiGM+RmQsDBOvFMaKArT5UmNLgN5GA@mail.gmail.com>
Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space
To: Heiko Carstens <hca@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Arnd Bergmann <arnd@arndb.de>, 
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, 
 Thomas Bogendoerfer <tsbogend@alpha.franken.de>, 
 "James E.J. Bottomley" <James.Bottomley@hansenpartnership.com>,
 Helge Deller <deller@gmx.de>, Michael Ellerman <mpe@ellerman.id.au>,
 Benjamin Herrenschmidt <benh@kernel.crashing.org>, 
 Paul Mackerras <paulus@samba.org>, Vasily Gorbik <gor@linux.ibm.com>, 
 Christian Borntraeger <borntraeger@de.ibm.com>,
 "David S. Miller" <davem@davemloft.net>, 
 Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
 Borislav Petkov <bp@alien8.de>, 
 "the arch/x86 maintainers" <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
 Al Viro <viro@zeniv.linux.org.uk>, 
 "Eric W. Biederman" <ebiederm@xmission.com>,
 Christoph Hellwig <hch@infradead.org>, Feng Tang <feng.tang@intel.com>,
 Linux ARM <linux-arm-kernel@lists.infradead.org>, 
 Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, 
 "open list:BROADCOM NVRAM DRIVER" <linux-mips@vger.kernel.org>,
 Parisc List <linux-parisc@vger.kernel.org>, 
 linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
 linux-s390 <linux-s390@vger.kernel.org>, 
 sparclinux <sparclinux@vger.kernel.org>,
 linux-arch <linux-arch@vger.kernel.org>, 
 Linux API <linux-api@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210730_063604_678991_BFC9998C 
X-CRM114-Status: GOOD (  17.60  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:

Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.

The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.

        Arnd

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
                if (clear_user((char __user *)mask + nbytes, copy - nbytes))
                        return -EFAULT;
                copy = nbytes;
+               maxnode = nr_node_ids;
        }

        if (compat)

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel