Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934894AbcKDO50 (ORCPT ); Fri, 4 Nov 2016 10:57:26 -0400 Received: from gum.cmpxchg.org ([85.214.110.215]:46106 "EHLO gum.cmpxchg.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933631AbcKDO5Z (ORCPT ); Fri, 4 Nov 2016 10:57:25 -0400 Date: Fri, 4 Nov 2016 10:57:04 -0400 From: Johannes Weiner To: Jann Horn Cc: Andrew Morton , "Kirill A. Shutemov" , Vlastimil Babka , Jerome Marchand , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] swapfile: fix memory corruption via malformed swapfile Message-ID: <20161104145704.GB8825@cmpxchg.org> References: <1477949533-2509-1-git-send-email-jann@thejh.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1477949533-2509-1-git-send-email-jann@thejh.net> User-Agent: Mutt/1.7.1 (2016-10-04) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 777 Lines: 17 On Mon, Oct 31, 2016 at 10:32:13PM +0100, Jann Horn wrote: > When root activates a swap partition whose header has the wrong endianness, > nr_badpages elements of badpages are swabbed before nr_badpages has been > checked, leading to a buffer overrun of up to 8GB. > > This normally is not a security issue because it can only be exploited by > root (more specifically, a process with CAP_SYS_ADMIN or the ability to > modify a swap file/partition), and such a process can already e.g. modify > swapped-out memory of any other userspace process on the system. > > Testcase for reproducing the bug (must be run as root, should crash your > kernel): [...] > Cc: stable@vger.kernel.org > Signed-off-by: Jann Horn Acked-by: Johannes Weiner