Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp593188imu; Fri, 4 Jan 2019 03:39:39 -0800 (PST) X-Google-Smtp-Source: ALg8bN508fOmMw+D2RjvGTNjJ3bCoAXgvaO8yWDeQDc7iVNj+mkcOBaJUJ8Nd1rub1QBRhBeYMKb X-Received: by 2002:a63:d005:: with SMTP id z5mr20295478pgf.64.1546601979215; Fri, 04 Jan 2019 03:39:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546601979; cv=none; d=google.com; s=arc-20160816; b=sKE8lAExsv5hv9VniB3lhyMLd3/RWWNbQNT6KK4QxeKAVKuU6m+g/d1qmm8JrLV4si KS5O01BdTia71K1MC+BKs4+MvCYdmLIiDEtP+98VfEuFFYAiBXxJ8JRCbbYQENhbwy+t 0nYgedjSzZlLGSSVybfojO46njahcQ2HInw5x4w+wVOo6YPMNsQOlzamf9mQzqceUm52 4gF+weG3BWaAiJgaNCSJ8GL5jbE2qCxFBJauB08zxkxGYUu3l7ZV20L6S3YxbSm9jVlJ iLvG4I0yI7EGbZD5tBGL8mrQzh9kgg8VJyEyj4b2KHpBzcSqBofYIwiiW4hQiI4oXIs9 AuHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=4bv8QjY6cAx/CzIe2NCuERrA3svi2cDV2+8YhLW7+kk=; b=O5EljiZ2JR5iIXy9h4Bm0jMPasoV6+l2VMBxCpz96zFIGBnsjsHOmaCjS30YL57xZM DwxTd7k1oCICmWrx9p1Uf5YrqZFuONvgW7/FuDerETo9dY8GmKV1BtgigKMuI+3X7oX7 Pgn5n5KI0Dd2ONhxvGTCkwl+M+b4gTzwntQsUflJJT00XfOL0ggcSIbNqBWhnwufXfPP 73tZjhqJ7bYJlBcS/KEyFWPzN2hKLjQpoUrCdACHo2brg/VepU1AxxUWKQqBwpXkNt3J i6tlhyZb6sbZJ43XYNIMLKqG/qDE4Try9eyIVvdtSj16510K+RST5xe9KhZoVKBlE+cC meXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a12si10030023pll.112.2019.01.04.03.39.21; Fri, 04 Jan 2019 03:39:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727657AbfADJiL (ORCPT + 99 others); Fri, 4 Jan 2019 04:38:11 -0500 Received: from mx2.suse.de ([195.135.220.15]:38998 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725958AbfADJiL (ORCPT ); Fri, 4 Jan 2019 04:38:11 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id C06B6AC81; Fri, 4 Jan 2019 09:38:09 +0000 (UTC) Date: Fri, 4 Jan 2019 10:38:08 +0100 From: Michal Hocko To: Roman Penyaev Cc: Andrew Morton , Andrey Ryabinin , Joe Perches , "Luis R. Rodriguez" , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial() Message-ID: <20190104093808.GJ31793@dhcp22.suse.cz> References: <20190103145954.16942-1-rpenyaev@suse.de> <20190103145954.16942-2-rpenyaev@suse.de> <20190103151357.GR31793@dhcp22.suse.cz> <20190103194054.GB31793@dhcp22.suse.cz> <5502b64d6c508f5432386d2cfe999844@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5502b64d6c508f5432386d2cfe999844@suse.de> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 03-01-19 21:31:58, Roman Penyaev wrote: > On 2019-01-03 20:40, Michal Hocko wrote: > > On Thu 03-01-19 20:27:26, Roman Penyaev wrote: > > > On 2019-01-03 16:13, Michal Hocko wrote: > > > > On Thu 03-01-19 15:59:52, Roman Penyaev wrote: > > > > > area->size can include adjacent guard page but get_vm_area_size() > > > > > returns actual size of the area. > > > > > > > > > > This fixes possible kernel crash when userspace tries to map area > > > > > on 1 page bigger: size check passes but the following > > > > > vmalloc_to_page() > > > > > returns NULL on last guard (non-existing) page. > > > > > > > > Can this actually happen? I am not really familiar with all the callers > > > > of this API but VM_NO_GUARD is not really used wildly in the kernel. > > > > > > Exactly, by default (VM_NO_GUARD is not set) each area has guard page, > > > thus the area->size will be bigger. The bug is not reproduced if > > > VM_NO_GUARD is set. > > > > > > > All I can see is kasan na arm64 which doesn't really seem to use it > > > > for vmalloc. > > > > > > > > So is the problem real or this is a mere cleanup? > > > > > > This is the real problem, try this hunk for any file descriptor which > > > provides > > > mapping, or say modify epoll as example: > > > > OK, my response was more confusing than I intended. I meant to say. Is > > there any in kernel code that would allow the bug have had in mind? > > In other words can userspace trick any existing code? > > In theory any existing caller of remap_vmalloc_range() which does > not have an explicit size check should trigger an oops, e.g. this is > a good candidate: > > *** drivers/media/usb/stkwebcam/stk-webcam.c: > v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, > 0); Hmm, sbuf->buffer is allocated in stk_setup_siobuf to have buf->v4lbuf.length. mmap callback maps this buffer to the vma size and that is indeed not enforced to be <= length AFAICS. So you are right! Can we have an example in the changelog please? Thanks! -- Michal Hocko SUSE Labs