Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp673467imu; Fri, 4 Jan 2019 05:10:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN58RPuZ+G2EPI1D1FjwriTwJyUYqKEJ8zba42h+3OiiriyyvsqTFv24uN40isSNQ1vgZ7xe X-Received: by 2002:a17:902:ab84:: with SMTP id f4mr49783222plr.207.1546607404497; Fri, 04 Jan 2019 05:10:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546607404; cv=none; d=google.com; s=arc-20160816; b=eQwcRalQPhAAI4wTnTOzpZOt0utt+Rf4fISiasNpp4Dx+nY/DjUGsHMYwCXhtYG3Gz Omgw8SJFTb2OWfmVtNJYxVyzIuQLq4uvFV9ignkaiOdwVs9pVTPWdBKvl9OZGrboQGsg ZF+0ioLNzr0m0Z/ek5FVb8/E+xK24H2315D5254uYRApQiTDTrOVbvXyPLVb2iteGMts ZoBz9w+tlDIANYFf5vdt9/9QN+i+iPKQc8RMJsEjeg1mZmthBPhA+kQ+I3w5fBiMpP9X 7IYTKGYuvaWg1Fs/C7gFsIanWvS0gG+E4i254HtqGQKMF+xuaYkXXRRmfAf5i0211FVk I6eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:message-id:references :in-reply-to:subject:cc:to:from:date:content-transfer-encoding :mime-version; bh=jI4n428pItKmyon9AqIeRtpZlqKqS8vS2MTFOCMWe3s=; b=Dt572EhIp6ubxKB8Wrhz2HONRw5NXAAmZMgwhPf/D4kv2LCwOirBlN+XmOwvgTZ0tl rSnN+yg5r0UYcp/bWVeLA4DAariUer+fB/h3wZ2SwH1pJCrnNqQj0SaJdiEURhxfPvTP qM8rzmqHd7GKExHsp2iXE4IH9pehYW/Lp8onUR0zewgmfi8fVac8fFuzp5GZDOfjC53I WLSTF+5QrhvRg4kx0v1aGnD7ksZJ3aQJvgs9jzTa4+nXsTE2au0DM1LOBqgRO/qT5gsl Mx3hB9SaCnazjjumU4obbqSDLWYqVyLS2cbK7HYSNu+SyNGHJooChfSsRQGc8bJK/8Vl S27w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 34si55609294pgt.455.2019.01.04.05.09.43; Fri, 04 Jan 2019 05:10:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727604AbfADLGr (ORCPT + 99 others); Fri, 4 Jan 2019 06:06:47 -0500 Received: from mx2.suse.de ([195.135.220.15]:50922 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726404AbfADLGr (ORCPT ); Fri, 4 Jan 2019 06:06:47 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 71334AC4A; Fri, 4 Jan 2019 11:06:45 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 04 Jan 2019 12:06:44 +0100 From: Roman Penyaev To: Andrew Morton Cc: Michal Hocko , Andrey Ryabinin , Joe Perches , "Luis R. Rodriguez" , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial() In-Reply-To: <20190103145954.16942-2-rpenyaev@suse.de> References: <20190103145954.16942-1-rpenyaev@suse.de> <20190103145954.16942-2-rpenyaev@suse.de> Message-ID: X-Sender: rpenyaev@suse.de User-Agent: Roundcube Webmail Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Andrew, Could you please update the commit message with something as the following (I hope it will become a bit clearer now): ------------- When VM_NO_GUARD is not set area->size includes adjacent guard page, thus for correct size checking get_vm_area_size() should be used, but not area->size. This fixes possible kernel oops when userspace tries to mmap an area on 1 page bigger than was allocated by vmalloc_user() call: the size check inside remap_vmalloc_range_partial() accounts non-existing guard page also, so check successfully passes but vmalloc_to_page() returns NULL (guard page does not physically exist). The following code pattern example should trigger an oops: static int oops_mmap(struct file *file, struct vm_area_struct *vma) { void *mem; mem = vmalloc_user(4096); BUG_ON(!mem); /* Do not care about mem leak */ return remap_vmalloc_range(vma, mem, 0); } And userspace simply mmaps size + PAGE_SIZE: mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0); Possible candidates for oops which do not have any explicit size checks: *** drivers/media/usb/stkwebcam/stk-webcam.c: v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0); Or the following one: *** drivers/video/fbdev/core/fbmem.c static int fb_mmap(struct file *file, struct vm_area_struct * vma) ... res = fb->fb_mmap(info, vma); Where fb_mmap callback calls remap_vmalloc_range() directly without any explicit checks: *** drivers/video/fbdev/vfb.c static int vfb_mmap(struct fb_info *info, struct vm_area_struct *vma) { return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff); } -------- -- Roman On 2019-01-03 15:59, Roman Penyaev wrote: > area->size can include adjacent guard page but get_vm_area_size() > returns actual size of the area. > > This fixes possible kernel crash when userspace tries to map area > on 1 page bigger: size check passes but the following vmalloc_to_page() > returns NULL on last guard (non-existing) page. > > Signed-off-by: Roman Penyaev > Cc: Andrew Morton > Cc: Michal Hocko > Cc: Andrey Ryabinin > Cc: Joe Perches > Cc: "Luis R. Rodriguez" > Cc: linux-mm@kvack.org > Cc: linux-kernel@vger.kernel.org > Cc: stable@vger.kernel.org > --- > mm/vmalloc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > index 871e41c55e23..2cd24186ba84 100644 > --- a/mm/vmalloc.c > +++ b/mm/vmalloc.c > @@ -2248,7 +2248,7 @@ int remap_vmalloc_range_partial(struct > vm_area_struct *vma, unsigned long uaddr, > if (!(area->flags & VM_USERMAP)) > return -EINVAL; > > - if (kaddr + size > area->addr + area->size) > + if (kaddr + size > area->addr + get_vm_area_size(area)) > return -EINVAL; > > do {