From: Sami Tolvanen <samitolvanen@google.com>
To: Andrii Kuchmenko <capyenglishlite@gmail.com>
Cc: linux-modules@vger.kernel.org, chleroy@kernel.org,
mcgrof@kernel.org, dmitry.torokhov@gmail.com,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2] module: decompress: check return value of module_extend_max_pages()
Date: Tue, 19 May 2026 21:23:28 +0000 [thread overview]
Message-ID: <20260519212328.GA2614626@google.com> (raw)
In-Reply-To: <20260518143233.16091-1-capyenglishlite@gmail.com>
Hi Andrii,
On Mon, May 18, 2026 at 05:32:33PM +0300, Andrii Kuchmenko wrote:
> module_extend_max_pages() calls kvrealloc() internally and returns
> -ENOMEM on allocation failure. The return value is never checked.
We should definitely fix this, but I'm not sure the rest of the
commit message is entirely accurate.
> The decompression loop then continues calling module_get_next_page(),
> which writes struct page pointers into info->pages[]. When used_pages
> reaches the stale max_pages value (not updated due to the failed
> extend), a subsequent write to info->pages[used_pages++] goes out of
> bounds into adjacent heap memory.
>
> Adjacent slab objects in the same kmalloc cache (pipe_buffer,
> seq_operations, cred) can be corrupted, potentially leading to local
> privilege escalation on kernels without SLAB_VIRTUAL mitigation.
Looking at the code:
- struct load_info info is zero-initialized in init_module_from_file().
- If module_extend_max_pages() fails, info->pages remains NULL and
info->max_pages and info->used_pages both remain 0.
- module_get_next_page() sees info->max_pages == info->used_pages
immediately and calls module_extend_max_pages(info, 0).
- kvrealloc() is called with a size of 0 and it returns ZERO_SIZE_PTR.
- Because ZERO_SIZE_PTR != NULL, module_extend_max_pages() sets
info->pages to ZERO_SIZE_PTR and returns 0.
- module_get_next_page() writes to info->pages[info->used_pages++],
and the write to ZERO_SIZE_PTR results in an immediate oops.
This isn't great, but I do not see a potential for an out-of-bounds
write or slab corruption in this specific case. What am I missing?
Sami
next prev parent reply other threads:[~2026-05-19 21:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 14:32 [PATCH v2] module: decompress: check return value of module_extend_max_pages() Andrii Kuchmenko
2026-05-18 16:21 ` Christophe Leroy (CS GROUP)
2026-05-19 14:56 ` Christophe Leroy (CS GROUP)
2026-05-19 21:23 ` Sami Tolvanen [this message]
[not found] ` <CAEABq7f3agKZqrBiu+UwXHY44mTcK360ryg-i0w=wEc_Lv+T0A@mail.gmail.com>
2026-05-20 15:12 ` Sami Tolvanen
2026-05-20 16:05 ` Afi0
2026-05-20 21:33 ` Christophe Leroy (CS GROUP)
2026-05-27 22:58 ` Sami Tolvanen
-- strict thread matches above, loose matches on Subject: below --
2026-05-18 12:18 Andrii Kuchmenko
2026-05-18 12:57 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519212328.GA2614626@google.com \
--to=samitolvanen@google.com \
--cc=capyenglishlite@gmail.com \
--cc=chleroy@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.