From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andriin@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.9 39/80] vmalloc: fix remap_vmalloc_range() bounds checks
Date: Fri, 1 May 2020 15:21:33 +0200 [thread overview]
Message-ID: <20200501131526.076612229@linuxfoundation.org> (raw)
In-Reply-To: <20200501131513.810761598@linuxfoundation.org>
From: Jann Horn <jannh@google.com>
commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream.
remap_vmalloc_range() has had various issues with the bounds checks it
promises to perform ("This function checks that addr is a valid
vmalloc'ed area, and that it is big enough to cover the vma") over time,
e.g.:
- not detecting pgoff<<PAGE_SHIFT overflow
- not detecting (pgoff<<PAGE_SHIFT)+usize overflow
- not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same
vmalloc allocation
- comparing a potentially wildly out-of-bounds pointer with the end of
the vmalloc region
In particular, since commit fc9702273e2e ("bpf: Add mmap() support for
BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer
dereferences by calling mmap() on a BPF map with a size that is bigger
than the distance from the start of the BPF map to the end of the
address space.
This could theoretically be used as a kernel ASLR bypass, by using
whether mmap() with a given offset oopses or returns an error code to
perform a binary search over the possible address range.
To allow remap_vmalloc_range_partial() to verify that addr and
addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset
to remap_vmalloc_range_partial() instead of adding it to the pointer in
remap_vmalloc_range().
In remap_vmalloc_range_partial(), fix the check against
get_vm_area_size() by using size comparisons instead of pointer
comparisons, and add checks for pgoff.
Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@chromium.org>
Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/vmcore.c | 2 +-
include/linux/vmalloc.h | 2 +-
mm/vmalloc.c | 16 +++++++++++++---
3 files changed, 15 insertions(+), 5 deletions(-)
--- a/fs/proc/vmcore.c
+++ b/fs/proc/vmcore.c
@@ -459,7 +459,7 @@ static int mmap_vmcore(struct file *file
tsz = min(elfcorebuf_sz + elfnotes_sz - (size_t)start, size);
kaddr = elfnotes_buf + start - elfcorebuf_sz;
if (remap_vmalloc_range_partial(vma, vma->vm_start + len,
- kaddr, tsz))
+ kaddr, 0, tsz))
goto fail;
size -= tsz;
start += tsz;
--- a/include/linux/vmalloc.h
+++ b/include/linux/vmalloc.h
@@ -89,7 +89,7 @@ extern void vunmap(const void *addr);
extern int remap_vmalloc_range_partial(struct vm_area_struct *vma,
unsigned long uaddr, void *kaddr,
- unsigned long size);
+ unsigned long pgoff, unsigned long size);
extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
unsigned long pgoff);
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -31,6 +31,7 @@
#include <linux/compiler.h>
#include <linux/llist.h>
#include <linux/bitops.h>
+#include <linux/overflow.h>
#include <asm/uaccess.h>
#include <asm/tlbflush.h>
@@ -2173,6 +2174,7 @@ finished:
* @vma: vma to cover
* @uaddr: target user address to start at
* @kaddr: virtual address of vmalloc kernel memory
+ * @pgoff: offset from @kaddr to start at
* @size: size of map area
*
* Returns: 0 for success, -Exxx on failure
@@ -2185,9 +2187,15 @@ finished:
* Similar to remap_pfn_range() (see mm/memory.c)
*/
int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
- void *kaddr, unsigned long size)
+ void *kaddr, unsigned long pgoff,
+ unsigned long size)
{
struct vm_struct *area;
+ unsigned long off;
+ unsigned long end_index;
+
+ if (check_shl_overflow(pgoff, PAGE_SHIFT, &off))
+ return -EINVAL;
size = PAGE_ALIGN(size);
@@ -2201,8 +2209,10 @@ int remap_vmalloc_range_partial(struct v
if (!(area->flags & VM_USERMAP))
return -EINVAL;
- if (kaddr + size > area->addr + get_vm_area_size(area))
+ if (check_add_overflow(size, off, &end_index) ||
+ end_index > get_vm_area_size(area))
return -EINVAL;
+ kaddr += off;
do {
struct page *page = vmalloc_to_page(kaddr);
@@ -2241,7 +2251,7 @@ int remap_vmalloc_range(struct vm_area_s
unsigned long pgoff)
{
return remap_vmalloc_range_partial(vma, vma->vm_start,
- addr + (pgoff << PAGE_SHIFT),
+ addr, pgoff,
vma->vm_end - vma->vm_start);
}
EXPORT_SYMBOL(remap_vmalloc_range);
next prev parent reply other threads:[~2020-05-01 13:29 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 13:20 [PATCH 4.9 00/80] 4.9.221-rc1 review Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 01/80] ext4: fix extent_status fragmentation for plain files Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 02/80] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 03/80] net: ipv4: avoid unused variable warning for sysctl Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 04/80] drm/msm: Use the correct dma_sync calls harder Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 05/80] crypto: mxs-dcp - make symbols sha1_null_hash and sha256_null_hash static Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 06/80] vti4: removed duplicate log message Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 07/80] watchdog: reset last_hw_keepalive time at start Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 08/80] scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 09/80] ceph: return ceph_mdsc_do_request() errors from __get_parent() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 10/80] ceph: dont skip updating wanted caps when cap is stale Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 11/80] pwm: rcar: Fix late Runtime PM enablement Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 12/80] scsi: iscsi: Report unbind session event when the target has been removed Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 13/80] ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 14/80] kernel/gcov/fs.c: gcov_seq_next() should increase position index Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 15/80] ipc/util.c: sysvipc_find_ipc() " Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 16/80] s390/cio: avoid duplicated ADD uevents Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 17/80] pwm: renesas-tpu: Fix late Runtime PM enablement Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 18/80] pwm: bcm2835: Dynamically allocate base Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 19/80] PCI/ASPM: Allow re-enabling Clock PM Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 20/80] ipv6: fix restrict IPV6_ADDRFORM operation Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 21/80] macsec: avoid to set wrong mtu Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 22/80] macvlan: fix null dereference in macvlan_device_event() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 23/80] net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 24/80] net/x25: Fix x25_neigh refcnt leak when receiving frame Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 25/80] tcp: cache line align MAX_TCP_HEADER Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 26/80] team: fix hang in team_mode_get() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 27/80] net: dsa: b53: Fix ARL register definitions Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 28/80] xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 29/80] ALSA: hda: Remove ASUS ROG Zenith from the blacklist Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 30/80] iio: xilinx-xadc: Fix ADC-B powerdown Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 31/80] iio: xilinx-xadc: Fix clearing interrupt when enabling trigger Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 32/80] iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 33/80] fs/namespace.c: fix mountpoint reference counter race Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 34/80] USB: sisusbvga: Change port variable from signed to unsigned Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 35/80] USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 36/80] USB: core: Fix free-while-in-use bug in the USB S-Glibrary Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 37/80] USB: hub: Fix handling of connect changes during sleep Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 38/80] overflow.h: Add arithmetic shift helper Greg Kroah-Hartman
2020-05-01 13:21 ` Greg Kroah-Hartman [this message]
2020-05-01 13:21 ` [PATCH 4.9 40/80] ALSA: usx2y: Fix potential NULL dereference Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 41/80] ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 42/80] ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 43/80] tpm/tpm_tis: Free IRQ if probing fails Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 44/80] KVM: Check validity of resolved slot when searching memslots Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 45/80] KVM: VMX: Enable machine check support for 32bit targets Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 46/80] tty: hvc: fix buffer overflow during hvc_alloc() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 47/80] tty: rocket, avoid OOB access Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 48/80] usb-storage: Add unusual_devs entry for JMicron JMS566 Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 49/80] audit: check the length of userspace generated audit records Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 50/80] ASoC: dapm: fixup dapm kcontrol widget Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 51/80] ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 52/80] staging: comedi: dt2815: fix writing hi byte of analog output Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 53/80] staging: comedi: Fix comedi_device refcnt leak in comedi_open Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 54/80] staging: vt6656: Fix drivers TBTT timing counter Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 55/80] staging: vt6656: Power save stop wake_up_count wrap around Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 56/80] UAS: no use logging any details in case of ENODEV Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 57/80] UAS: fix deadlock in error handling and PM flushing work Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 58/80] usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 59/80] remoteproc: Fix wrong rvring index computation Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 60/80] fuse: fix possibly missed wake-up after abort Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 61/80] mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 62/80] usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 63/80] nfsd: memory corruption in nfsd4_lock() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 64/80] net/cxgb4: Check the return from t4_query_params properly Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 65/80] perf/core: fix parent pid/tid in task exit events Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 66/80] bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 67/80] xfs: fix partially uninitialized structure in xfs_reflink_remap_extent Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 68/80] scsi: target: fix PR IN / READ FULL STATUS for FC Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 69/80] objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 70/80] objtool: Support Clang non-section symbols in ORC dump Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 71/80] xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 72/80] ext4: convert BUG_ONs to WARN_ONs in mballoc.c Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 73/80] of: unittest: kmemleak on changeset destroy Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 74/80] hwmon: (jc42) Fix name to have no illegal characters Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 75/80] ext4: avoid declaring fs inconsistent due to invalid file handles Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 76/80] ext4: protect journal inodes blocks using block_validity Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 77/80] ext4: dont perform block validity checks on the journal inode Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 78/80] ext4: fix block validity checks for journal inodes using indirect blocks Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 79/80] ext4: unsigned int compared against zero Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 80/80] ext4: check for non-zero journal inum in ext4_calculate_overhead Greg Kroah-Hartman
[not found] ` <20200501131513.810761598-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-01 15:16 ` [PATCH 4.9 00/80] 4.9.221-rc1 review Jon Hunter
2020-05-01 15:16 ` Jon Hunter
2020-05-01 21:58 ` Guenter Roeck
2020-05-01 22:43 ` Naresh Kamboju
2020-05-02 23:18 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200501131526.076612229@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=jannh@google.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.