* [PATCH v2 1/2] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
@ 2018-08-15 19:51 Greg Hackmann
2018-08-15 19:51 ` [PATCH v2 2/2] arm: " Greg Hackmann
0 siblings, 1 reply; 2+ messages in thread
From: Greg Hackmann @ 2018-08-15 19:51 UTC (permalink / raw)
To: linux-arm-kernel
Cc: kernel-team, Greg Hackmann, stable, Catalin Marinas, Will Deacon,
Laura Abbott, Andrew Morton, Robin Murphy, Johannes Weiner,
Kristina Martsenko, CHANDAN VN, Steve Capper, Stefan Agner,
linux-kernel
ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input
before seeing if the PFN is valid. This leads to false positives when
some of the upper bits are set, but the lower bits match a valid PFN.
For example, the following userspace code looks up a bogus entry in
/proc/kpageflags:
int pagemap = open("/proc/self/pagemap", O_RDONLY);
int pageflags = open("/proc/kpageflags", O_RDONLY);
uint64_t pfn, val;
lseek64(pagemap, [...], SEEK_SET);
read(pagemap, &pfn, sizeof(pfn));
if (pfn & (1UL << 63)) { /* valid PFN */
pfn &= ((1UL << 55) - 1); /* clear flag bits */
pfn |= (1UL << 55);
lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET);
read(pageflags, &val, sizeof(val));
}
On ARM64 this causes the userspace process to crash with SIGSEGV rather
than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as
valid, and stable_page_flags() will try to access an address between the
user and kernel address ranges.
Fixes: c1cc1552616d ("arm64: MMU initialisation")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Hackmann <ghackmann@google.com>
---
arch/arm64/mm/init.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c
index 9abf8a1e7b25..787e27964ab9 100644
--- a/arch/arm64/mm/init.c
+++ b/arch/arm64/mm/init.c
@@ -287,7 +287,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max)
#ifdef CONFIG_HAVE_ARCH_PFN_VALID
int pfn_valid(unsigned long pfn)
{
- return memblock_is_map_memory(pfn << PAGE_SHIFT);
+ phys_addr_t addr = pfn << PAGE_SHIFT;
+
+ if ((addr >> PAGE_SHIFT) != pfn)
+ return 0;
+ return memblock_is_map_memory(addr);
}
EXPORT_SYMBOL(pfn_valid);
#endif
--
2.18.0.865.gffc8e1a3cd6-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH v2 2/2] arm: mm: check for upper PAGE_SHIFT bits in pfn_valid()
2018-08-15 19:51 [PATCH v2 1/2] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Greg Hackmann
@ 2018-08-15 19:51 ` Greg Hackmann
0 siblings, 0 replies; 2+ messages in thread
From: Greg Hackmann @ 2018-08-15 19:51 UTC (permalink / raw)
To: linux-arm-kernel
Cc: kernel-team, Greg Hackmann, stable, Russell King, Kees Cook,
Vladimir Murzin, Philip Derrin, Steven Rostedt (VMware),
Nicolas Pitre, Jinbum Park, linux-kernel
ARM's pfn_valid() has a similar shifting bug to the ARM64 bug fixed in
the previous patch. This only affects non-LPAE kernels, since LPAE
kernels will promote to 64 bits inside __pfn_to_phys().
Fixes: 5e6f6aa1c243 ("memblock/arm: pfn_valid uses memblock_is_memory()")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Hackmann <ghackmann@google.com>
---
arch/arm/mm/init.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
index 0cc8e04295a4..bee1f2e4ecf3 100644
--- a/arch/arm/mm/init.c
+++ b/arch/arm/mm/init.c
@@ -196,7 +196,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max_low,
#ifdef CONFIG_HAVE_ARCH_PFN_VALID
int pfn_valid(unsigned long pfn)
{
- return memblock_is_map_memory(__pfn_to_phys(pfn));
+ phys_addr_t addr = __pfn_to_phys(pfn);
+
+ if (__phys_to_pfn(addr) != pfn)
+ return 0;
+ return memblock_is_map_memory(addr);
}
EXPORT_SYMBOL(pfn_valid);
#endif
--
2.18.0.865.gffc8e1a3cd6-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-08-15 19:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-15 19:51 [PATCH v2 1/2] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Greg Hackmann
2018-08-15 19:51 ` [PATCH v2 2/2] arm: " Greg Hackmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).