From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S947225AbcJaVcX (ORCPT ); Mon, 31 Oct 2016 17:32:23 -0400 Received: from thejh.net ([37.221.195.125]:60662 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S947154AbcJaVcV (ORCPT ); Mon, 31 Oct 2016 17:32:21 -0400 From: Jann Horn To: Andrew Morton , "Kirill A. Shutemov" , Vlastimil Babka , Johannes Weiner , Jerome Marchand Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH] swapfile: fix memory corruption via malformed swapfile Date: Mon, 31 Oct 2016 22:32:13 +0100 Message-Id: <1477949533-2509-1-git-send-email-jann@thejh.net> X-Mailer: git-send-email 2.1.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When root activates a swap partition whose header has the wrong endianness, nr_badpages elements of badpages are swabbed before nr_badpages has been checked, leading to a buffer overrun of up to 8GB. This normally is not a security issue because it can only be exploited by root (more specifically, a process with CAP_SYS_ADMIN or the ability to modify a swap file/partition), and such a process can already e.g. modify swapped-out memory of any other userspace process on the system. Testcase for reproducing the bug (must be run as root, should crash your kernel): ================= #include #include #include #include #include #include #include #define PAGE_SIZE 4096 #define __u32 unsigned int // from include/linux/swap.h union swap_header { struct { char reserved[PAGE_SIZE - 10]; char magic[10]; /* SWAP-SPACE or SWAPSPACE2 */ } magic; struct { char bootbits[1024]; /* Space for disklabel etc. */ __u32 version; __u32 last_page; __u32 nr_badpages; unsigned char sws_uuid[16]; unsigned char sws_volume[16]; __u32 padding[117]; __u32 badpages[1]; } info; }; int main(void) { char file[] = "/tmp/swapfile.XXXXXX"; int file_fd = mkstemp(file); if (file_fd == -1) err(1, "mkstemp"); if (ftruncate(file_fd, PAGE_SIZE)) err(1, "ftruncate"); union swap_header swap_header = { .info = { .version = __builtin_bswap32(1), .nr_badpages = __builtin_bswap32(INT_MAX) } }; memcpy(swap_header.magic.magic, "SWAPSPACE2", 10); if (write(file_fd, &swap_header, sizeof(swap_header)) != sizeof(swap_header)) err(1, "write"); // not because the attack needs it, just in case you forgot to // sync yourself before crashing your machine sync(); // now die if (swapon(file, 0)) err(1, "swapon"); puts("huh, we survived"); if (swapoff(file)) err(1, "swapoff"); unlink(file); } ================= Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- mm/swapfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/swapfile.c b/mm/swapfile.c index 2210de290b54..f30438970cd1 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2224,6 +2224,8 @@ static unsigned long read_swap_header(struct swap_info_struct *p, swab32s(&swap_header->info.version); swab32s(&swap_header->info.last_page); swab32s(&swap_header->info.nr_badpages); + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) + return 0; for (i = 0; i < swap_header->info.nr_badpages; i++) swab32s(&swap_header->info.badpages[i]); } -- 2.1.4