* [PATCH] Avoid buffer overflows in get_user_pages()
@ 2008-02-11 23:17 Jonathan Corbet
2008-02-11 23:45 ` Nick Piggin
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Jonathan Corbet @ 2008-02-11 23:17 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, torvalds
Avoid buffer overflows in get_user_pages()
So I spent a while pounding my head against my monitor trying to figure
out the vmsplice() vulnerability - how could a failure to check for
*read* access turn into a root exploit? It turns out that it's a buffer
overflow problem which is made easy by the way get_user_pages() is
coded.
In particular, "len" is a signed int, and it is only checked at the
*end* of a do {} while() loop. So, if it is passed in as zero, the loop
will execute once and decrement len to -1. At that point, the loop will
proceed until the next invalid address is found; in the process, it will
likely overflow the pages array passed in to get_user_pages().
I think that, if get_user_pages() has been asked to grab zero pages,
that's what it should do. Thus this patch; it is, among other things,
enough to block the (already fixed) root exploit and any others which
might be lurking in similar code. I also think that the number of pages
should be unsigned, but changing the prototype of this function probably
requires some more careful review.
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
diff --git a/mm/memory.c b/mm/memory.c
index e5628a5..7f50fd8 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
int i;
unsigned int vm_flags;
+ if (len <= 0)
+ return 0;
/*
* Require read or write permissions.
* If 'force' is set, we only require the "MAY" flags.
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
2008-02-11 23:17 [PATCH] Avoid buffer overflows in get_user_pages() Jonathan Corbet
@ 2008-02-11 23:45 ` Nick Piggin
2008-02-12 7:46 ` Andrew Morton
2008-02-14 16:45 ` Oliver Pinter
2 siblings, 0 replies; 9+ messages in thread
From: Nick Piggin @ 2008-02-11 23:45 UTC (permalink / raw)
To: Jonathan Corbet; +Cc: linux-kernel, akpm, torvalds
On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
> Avoid buffer overflows in get_user_pages()
>
> So I spent a while pounding my head against my monitor trying to figure
> out the vmsplice() vulnerability - how could a failure to check for
> *read* access turn into a root exploit? It turns out that it's a buffer
> overflow problem which is made easy by the way get_user_pages() is
> coded.
>
> In particular, "len" is a signed int, and it is only checked at the
> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
> will execute once and decrement len to -1. At that point, the loop will
> proceed until the next invalid address is found; in the process, it will
> likely overflow the pages array passed in to get_user_pages().
>
> I think that, if get_user_pages() has been asked to grab zero pages,
> that's what it should do. Thus this patch; it is, among other things,
> enough to block the (already fixed) root exploit and any others which
> might be lurking in similar code. I also think that the number of pages
> should be unsigned, but changing the prototype of this function probably
> requires some more careful review.
>
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>
> diff --git a/mm/memory.c b/mm/memory.c
> index e5628a5..7f50fd8 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
> mm_struct *mm, int i;
> unsigned int vm_flags;
>
> + if (len <= 0)
> + return 0;
BUG_ON()?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
2008-02-11 23:17 [PATCH] Avoid buffer overflows in get_user_pages() Jonathan Corbet
2008-02-11 23:45 ` Nick Piggin
@ 2008-02-12 7:46 ` Andrew Morton
2008-02-12 10:35 ` Jiri Kosina
2008-02-14 16:45 ` Oliver Pinter
2 siblings, 1 reply; 9+ messages in thread
From: Andrew Morton @ 2008-02-12 7:46 UTC (permalink / raw)
To: Jonathan Corbet; +Cc: linux-kernel, torvalds
On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@lwn.net> wrote:
> Avoid buffer overflows in get_user_pages()
>
> So I spent a while pounding my head against my monitor trying to figure
> out the vmsplice() vulnerability - how could a failure to check for
> *read* access turn into a root exploit? It turns out that it's a buffer
> overflow problem which is made easy by the way get_user_pages() is
> coded.
>
> In particular, "len" is a signed int, and it is only checked at the
> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
> will execute once and decrement len to -1. At that point, the loop will
> proceed until the next invalid address is found; in the process, it will
> likely overflow the pages array passed in to get_user_pages().
Sounds convincing.
> I think that, if get_user_pages() has been asked to grab zero pages,
> that's what it should do. Thus this patch; it is, among other things,
> enough to block the (already fixed) root exploit and any others which
> might be lurking in similar code. I also think that the number of pages
> should be unsigned, but changing the prototype of this function probably
> requires some more careful review.
>
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>
> diff --git a/mm/memory.c b/mm/memory.c
> index e5628a5..7f50fd8 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
> int i;
> unsigned int vm_flags;
>
> + if (len <= 0)
> + return 0;
> /*
> * Require read or write permissions.
> * If 'force' is set, we only require the "MAY" flags.
Can we just convert
do {
...
} while (len);
into
while (len) {
...
}
?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
2008-02-12 7:46 ` Andrew Morton
@ 2008-02-12 10:35 ` Jiri Kosina
0 siblings, 0 replies; 9+ messages in thread
From: Jiri Kosina @ 2008-02-12 10:35 UTC (permalink / raw)
To: Andrew Morton; +Cc: Jonathan Corbet, linux-kernel, torvalds
On Mon, 11 Feb 2008, Andrew Morton wrote:
> > + if (len <= 0)
> > + return 0;
> > /*
> > * Require read or write permissions.
> > * If 'force' is set, we only require the "MAY" flags.
> Can we just convert
> do {
> ...
> } while (len);
> into
> while (len) {
> ...
> }
How would that help?
Rather
while (len > 0) {
...
}
would do the trick.
--
Jiri Kosina
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
2008-02-11 23:17 [PATCH] Avoid buffer overflows in get_user_pages() Jonathan Corbet
2008-02-11 23:45 ` Nick Piggin
2008-02-12 7:46 ` Andrew Morton
@ 2008-02-14 16:45 ` Oliver Pinter
2008-02-14 21:09 ` Jonathan Corbet
2 siblings, 1 reply; 9+ messages in thread
From: Oliver Pinter @ 2008-02-14 16:45 UTC (permalink / raw)
To: stable; +Cc: linux-kernel, akpm, torvalds, Jonathan Corbet
for stable (.22 .23 .24) ?
git id in mainline: 900cf086fd2fbad07f72f4575449e0d0958f860f
--
tested in: http://repo.or.cz/w/linux-2.6.22.y-op.git testing
On 2/12/08, Jonathan Corbet <corbet@lwn.net> wrote:
> Avoid buffer overflows in get_user_pages()
>
> So I spent a while pounding my head against my monitor trying to figure
> out the vmsplice() vulnerability - how could a failure to check for
> *read* access turn into a root exploit? It turns out that it's a buffer
> overflow problem which is made easy by the way get_user_pages() is
> coded.
>
> In particular, "len" is a signed int, and it is only checked at the
> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
> will execute once and decrement len to -1. At that point, the loop will
> proceed until the next invalid address is found; in the process, it will
> likely overflow the pages array passed in to get_user_pages().
>
> I think that, if get_user_pages() has been asked to grab zero pages,
> that's what it should do. Thus this patch; it is, among other things,
> enough to block the (already fixed) root exploit and any others which
> might be lurking in similar code. I also think that the number of pages
> should be unsigned, but changing the prototype of this function probably
> requires some more careful review.
>
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>
> diff --git a/mm/memory.c b/mm/memory.c
> index e5628a5..7f50fd8 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
> mm_struct *mm,
> int i;
> unsigned int vm_flags;
>
> + if (len <= 0)
> + return 0;
> /*
> * Require read or write permissions.
> * If 'force' is set, we only require the "MAY" flags.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Thanks,
Oliver
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
2008-02-14 16:45 ` Oliver Pinter
@ 2008-02-14 21:09 ` Jonathan Corbet
0 siblings, 0 replies; 9+ messages in thread
From: Jonathan Corbet @ 2008-02-14 21:09 UTC (permalink / raw)
To: Oliver Pinter; +Cc: linux-kernel, akpm, torvalds
Oliver Pinter <oliver.pntr@gmail.com> wrote:
> for stable (.22 .23 .24) ?
>
> git id in mainline: 900cf086fd2fbad07f72f4575449e0d0958f860f
I sent it to the stable folks a couple days ago.
Thanks,
jon
Jonathan Corbet / LWN.net / corbet@lwn.net
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
[not found] ` <9VY4a-1tI-21@gated-at.bofh.it>
@ 2008-02-12 8:34 ` Bodo Eggert
0 siblings, 0 replies; 9+ messages in thread
From: Bodo Eggert @ 2008-02-12 8:34 UTC (permalink / raw)
To: Andrew Morton, Jonathan Corbet, linux-kernel, torvalds
Andrew Morton <akpm@linux-foundation.org> wrote:
> On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@lwn.net> wrote:
>> Avoid buffer overflows in get_user_pages()
>>
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit? It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>>
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1. At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().
[...]
> Can we just convert
>
> do {
> ...
> } while (len);
>
> into
>
> while (len) {
while (len > 0), if I understand this patch correctly.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
2008-02-12 3:16 ` Robert Hancock
@ 2008-02-12 5:56 ` Nick Piggin
0 siblings, 0 replies; 9+ messages in thread
From: Nick Piggin @ 2008-02-12 5:56 UTC (permalink / raw)
To: Robert Hancock; +Cc: Jonathan Corbet, linux-kernel, akpm, torvalds
On Tuesday 12 February 2008 14:16, Robert Hancock wrote:
> Nick Piggin wrote:
> > On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
> >> Avoid buffer overflows in get_user_pages()
> >>
> >> So I spent a while pounding my head against my monitor trying to figure
> >> out the vmsplice() vulnerability - how could a failure to check for
> >> *read* access turn into a root exploit? It turns out that it's a buffer
> >> overflow problem which is made easy by the way get_user_pages() is
> >> coded.
> >>
> >> In particular, "len" is a signed int, and it is only checked at the
> >> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
> >> will execute once and decrement len to -1. At that point, the loop will
> >> proceed until the next invalid address is found; in the process, it will
> >> likely overflow the pages array passed in to get_user_pages().
> >>
> >> I think that, if get_user_pages() has been asked to grab zero pages,
> >> that's what it should do. Thus this patch; it is, among other things,
> >> enough to block the (already fixed) root exploit and any others which
> >> might be lurking in similar code. I also think that the number of pages
> >> should be unsigned, but changing the prototype of this function probably
> >> requires some more careful review.
> >>
> >> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
> >>
> >> diff --git a/mm/memory.c b/mm/memory.c
> >> index e5628a5..7f50fd8 100644
> >> --- a/mm/memory.c
> >> +++ b/mm/memory.c
> >> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
> >> mm_struct *mm, int i;
> >> unsigned int vm_flags;
> >>
> >> + if (len <= 0)
> >> + return 0;
> >
> > BUG_ON()?
>
> Well, not if the code involved in the exploit can pass a zero value,
Which is a bug, and you want to catch it.
> otherwise it's just turning it into a DoS..
If it is due to a security bug, then the fix is to fix the point
where the kernel starts trusting an untrusted value. Not to hide
the bug like this. Arguably, a BUG_ON is better in the case of a
security hole because you want to halt the process as soon as you
detect a problem.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
[not found] ` <fa.NNs+hqAlLlf93+yNZ/YJzSyGQbs@ifi.uio.no>
@ 2008-02-12 3:16 ` Robert Hancock
2008-02-12 5:56 ` Nick Piggin
0 siblings, 1 reply; 9+ messages in thread
From: Robert Hancock @ 2008-02-12 3:16 UTC (permalink / raw)
To: Nick Piggin; +Cc: Jonathan Corbet, linux-kernel, akpm, torvalds
Nick Piggin wrote:
> On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
>> Avoid buffer overflows in get_user_pages()
>>
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit? It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>>
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1. At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().
>>
>> I think that, if get_user_pages() has been asked to grab zero pages,
>> that's what it should do. Thus this patch; it is, among other things,
>> enough to block the (already fixed) root exploit and any others which
>> might be lurking in similar code. I also think that the number of pages
>> should be unsigned, but changing the prototype of this function probably
>> requires some more careful review.
>>
>> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index e5628a5..7f50fd8 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
>> mm_struct *mm, int i;
>> unsigned int vm_flags;
>>
>> + if (len <= 0)
>> + return 0;
>
> BUG_ON()?
Well, not if the code involved in the exploit can pass a zero value,
otherwise it's just turning it into a DoS..
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-02-14 21:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-11 23:17 [PATCH] Avoid buffer overflows in get_user_pages() Jonathan Corbet
2008-02-11 23:45 ` Nick Piggin
2008-02-12 7:46 ` Andrew Morton
2008-02-12 10:35 ` Jiri Kosina
2008-02-14 16:45 ` Oliver Pinter
2008-02-14 21:09 ` Jonathan Corbet
[not found] <fa.5jOFf0zR7ZoK3hLDItf3Omow4lE@ifi.uio.no>
[not found] ` <fa.NNs+hqAlLlf93+yNZ/YJzSyGQbs@ifi.uio.no>
2008-02-12 3:16 ` Robert Hancock
2008-02-12 5:56 ` Nick Piggin
[not found] <9VQ6w-5Xn-7@gated-at.bofh.it>
[not found] ` <9VY4a-1tI-21@gated-at.bofh.it>
2008-02-12 8:34 ` Bodo Eggert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).