From: Kefeng Wang <wangkefeng.wang@huawei.com>
To: Kees Cook <keescook@chromium.org>,
Laura Abbott <labbott@redhat.com>,
"Mark Rutland" <mark.rutland@arm.com>, <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
<linux-kernel@vger.kernel.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
"Paul Mackerras" <paulus@samba.org>,
<linuxppc-dev@lists.ozlabs.org>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Subject: [PATCH] Revert "mm/usercopy: Drop extra is_vmalloc_or_module() check"
Date: Thu, 23 Dec 2021 18:21:26 +0800 [thread overview]
Message-ID: <20211223102126.161848-1-wangkefeng.wang@huawei.com> (raw)
This reverts commit 517e1fbeb65f5eade8d14f46ac365db6c75aea9b.
usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)!
kernel BUG at mm/usercopy.c:99
...
usercopy_abort+0x64/0xa0 (unreliable)
__check_heap_object+0x168/0x190
__check_object_size+0x1a0/0x200
dev_ethtool+0x2494/0x2b20
dev_ioctl+0x5d0/0x770
sock_do_ioctl+0xf0/0x1d0
sock_ioctl+0x3ec/0x5a0
__se_sys_ioctl+0xf0/0x160
system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200
When run ethtool eth0, the BUG occurred, the code shows below,
data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))
The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true
on PowerPC64, which leads to the panic, add back the is_vmalloc_or_module()
check to fix it.
Fixes: 517e1fbeb65f (mm/usercopy: Drop extra is_vmalloc_or_module() check)
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
---
mm/usercopy.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/mm/usercopy.c b/mm/usercopy.c
index b3de3c4eefba..cfc845403017 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -225,6 +225,17 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
{
struct page *page;
+ /*
+ * Some architectures (PowerPC64) return true for virt_addr_valid() on
+ * vmalloced addresses. Work around this by checking for vmalloc
+ * first.
+ *
+ * We also need to check for module addresses explicitly since we
+ * may copy static data from modules to userspace
+ */
+ if (is_vmalloc_or_module_addr(ptr))
+ return;
+
if (!virt_addr_valid(ptr))
return;
--
2.26.2
next reply other threads:[~2021-12-23 10:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-23 10:21 Kefeng Wang [this message]
2021-12-24 6:01 ` [PATCH] Revert "mm/usercopy: Drop extra is_vmalloc_or_module() check" Christophe Leroy
2021-12-24 7:06 ` Kefeng Wang
2021-12-24 13:18 ` Christophe Leroy
2021-12-25 2:05 ` Kefeng Wang
2021-12-25 11:04 ` Nicholas Piggin
2021-12-25 12:00 ` Kefeng Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211223102126.161848-1-wangkefeng.wang@huawei.com \
--to=wangkefeng.wang@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=benh@kernel.crashing.org \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mark.rutland@arm.com \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.