From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Yingcong Wu <yingcong.wu@intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>
Subject: [PATCH 4.19 13/33] x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
Date: Sun, 13 Aug 2023 23:19:07 +0200 [thread overview]
Message-ID: <20230813211704.400312616@linuxfoundation.org> (raw)
In-Reply-To: <20230813211703.915807095@linuxfoundation.org>
From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
commit 1b8b1aa90c9c0e825b181b98b8d9e249dc395470 upstream.
Yingcong has noticed that on the 5-level paging machine, VDSO and VVAR
VMAs are placed above the 47-bit border:
8000001a9000-8000001ad000 r--p 00000000 00:00 0 [vvar]
8000001ad000-8000001af000 r-xp 00000000 00:00 0 [vdso]
This might confuse users who are not aware of 5-level paging and expect
all userspace addresses to be under the 47-bit border.
So far problem has only been triggered with ASLR disabled, although it
may also occur with ASLR enabled if the layout is randomized in a just
right way.
The problem happens due to custom placement for the VMAs in the VDSO
code: vdso_addr() tries to place them above the stack and checks the
result against TASK_SIZE_MAX, which is wrong. TASK_SIZE_MAX is set to
the 56-bit border on 5-level paging machines. Use DEFAULT_MAP_WINDOW
instead.
Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace")
Reported-by: Yingcong Wu <yingcong.wu@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20230803151609.22141-1-kirill.shutemov%40linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/entry/vdso/vma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/entry/vdso/vma.c
+++ b/arch/x86/entry/vdso/vma.c
@@ -228,8 +228,8 @@ static unsigned long vdso_addr(unsigned
/* Round the lowest possible end address up to a PMD boundary. */
end = (start + len + PMD_SIZE - 1) & PMD_MASK;
- if (end >= TASK_SIZE_MAX)
- end = TASK_SIZE_MAX;
+ if (end >= DEFAULT_MAP_WINDOW)
+ end = DEFAULT_MAP_WINDOW;
end -= len;
if (end > start) {
next prev parent reply other threads:[~2023-08-13 21:22 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-13 21:18 [PATCH 4.19 00/33] 4.19.292-rc1 review Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.19 01/33] sparc: fix up arch_cpu_finalize_init() build breakage Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.19 02/33] mmc: moxart: read scr register without changing byte order Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.19 03/33] ipv6: adjust ndisc_is_useropt() to also return true for PIO Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.19 04/33] dmaengine: pl330: Return DMA_PAUSED when transaction is paused Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.19 05/33] drm/nouveau/gr: enable memory loads on helper invocation on all channels Greg Kroah-Hartman
2023-08-13 21:18 ` [Nouveau] " Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 06/33] radix tree test suite: fix incorrect allocation size for pthreads Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 07/33] nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 08/33] iio: cros_ec: Fix the allocation size for cros_ec_command Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 09/33] binder: fix memory leak in binder_init() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 10/33] usb-storage: alauda: Fix uninit-value in alauda_check_media() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 11/33] usb: dwc3: Properly handle processing of pending events Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 12/33] x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 Greg Kroah-Hartman
2023-08-13 21:19 ` Greg Kroah-Hartman [this message]
2023-08-13 21:19 ` [PATCH 4.19 14/33] x86: Move gds_ucode_mitigated() declaration to header Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 15/33] drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 16/33] mISDN: Update parameter type of dsp_cmx_send() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 17/33] net/packet: annotate data-races around tp->status Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 18/33] bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 19/33] dccp: fix data-race around dp->dccps_mss_cache Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 20/33] drivers: net: prevent tun_build_skb() to exceed the packet size limit Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 21/33] IB/hfi1: Fix possible panic during hotplug remove Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 22/33] wifi: cfg80211: fix sband iftype data lookup for AP_VLAN Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 23/33] ibmvnic: Handle DMA unmapping of login buffs in release functions Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 24/33] btrfs: dont stop integrity writeback too early Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 25/33] netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 26/33] netfilter: nf_tables: report use refcount overflow Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 27/33] scsi: core: Fix legacy /proc parsing buffer overflow Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 28/33] scsi: storvsc: Fix handling of virtual Fibre Channel timeouts Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 29/33] scsi: 53c700: Check that command slot is not NULL Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 30/33] scsi: snic: Fix possible memory leak if device_add() fails Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 31/33] scsi: core: " Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 32/33] alpha: remove __init annotation from exported page_is_ram() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.19 33/33] sch_netem: fix issues in netem_change() vs get_dist_table() Greg Kroah-Hartman
2023-08-14 14:53 ` [PATCH 4.19 00/33] 4.19.292-rc1 review Thierry Reding
2023-08-14 18:23 ` Guenter Roeck
2023-08-15 1:03 ` Shuah Khan
2023-08-15 6:01 ` Daniel Díaz
2023-08-16 2:05 ` luomeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230813211704.400312616@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dave.hansen@linux.intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=yingcong.wu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.