[PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Hackmann <ghackmann@android.com>
To: unlisted-recipients:; (no To-header on input)
Cc: Greg Hackmann <ghackmann@android.com>,
	stable@vger.kernel.org, Greg Hackmann <ghackmann@google.com>,
	Will Deacon <will.deacon@arm.com>
Subject: [PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
Date: Thu, 30 Aug 2018 11:25:35 -0700	[thread overview]
Message-ID: <20180830182535.24881-1-ghackmann@google.com> (raw)
In-Reply-To: <153564819857136@kroah.com>

From: Greg Hackmann <ghackmann@android.com>

commit 5ad356eabc47d26a92140a0c4b20eba471c10de3 upstream.

ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input
before seeing if the PFN is valid.  This leads to false positives when
some of the upper bits are set, but the lower bits match a valid PFN.

For example, the following userspace code looks up a bogus entry in
/proc/kpageflags:

    int pagemap = open("/proc/self/pagemap", O_RDONLY);
    int pageflags = open("/proc/kpageflags", O_RDONLY);
    uint64_t pfn, val;

    lseek64(pagemap, [...], SEEK_SET);
    read(pagemap, &pfn, sizeof(pfn));
    if (pfn & (1UL << 63)) {        /* valid PFN */
        pfn &= ((1UL << 55) - 1);   /* clear flag bits */
        pfn |= (1UL << 55);
        lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET);
        read(pageflags, &val, sizeof(val));
    }

On ARM64 this causes the userspace process to crash with SIGSEGV rather
than reading (1 << KPF_NOPAGE).  kpageflags_read() treats the offset as
valid, and stable_page_flags() will try to access an address between the
user and kernel address ranges.

Fixes: c1cc1552616d ("arm64: MMU initialisation")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
---
Backport for kernels < 4.9.  The original commit has a merge conflict
due to a change from memblock_is_memory() to memblock_is_map_memory().

 arch/arm64/mm/init.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c
index efd89ce4533d..adf4122502a9 100644
--- a/arch/arm64/mm/init.c
+++ b/arch/arm64/mm/init.c
@@ -120,7 +120,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max)
 #ifdef CONFIG_HAVE_ARCH_PFN_VALID
 int pfn_valid(unsigned long pfn)
 {
-	return memblock_is_memory(pfn << PAGE_SHIFT);
+	phys_addr_t addr = pfn << PAGE_SHIFT;
+
+	if ((addr >> PAGE_SHIFT) != pfn)
+		return 0;
+	return memblock_is_memory(addr);
 }
 EXPORT_SYMBOL(pfn_valid);
 #endif
-- 
2.19.0.rc0.228.g281dcd1b4d0-goog

next prev parent reply	other threads:[~2018-08-30 22:30 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-30 16:56 FAILED: patch "[PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()" failed to apply to 4.4-stable tree gregkh
2018-08-30 18:25 ` Greg Hackmann [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-08-13 19:30 [PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Greg Hackmann
2018-08-13 19:30 ` Greg Hackmann
2018-08-14 10:40 ` Will Deacon
2018-08-14 10:40   ` Will Deacon
2018-08-14 15:17   ` Greg Hackmann
2018-08-14 15:17     ` Greg Hackmann
2018-08-14 15:29     ` Will Deacon
2018-08-14 15:29       ` Will Deacon
2018-08-15 19:30       ` Greg Hackmann
2018-08-15 19:30         ` Greg Hackmann

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:efd89ce4533 dfblob:adf4122502a )
 OR (
bs:"[PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180830182535.24881-1-ghackmann@google.com \
    --to=ghackmann@android.com \
    --cc=ghackmann@google.com \
    --cc=stable@vger.kernel.org \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.