From: Robert Hancock <hancockr@shaw.ca>
To: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: Jonathan Corbet <corbet@lwn.net>,
linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
torvalds@linux-foundation.org
Subject: Re: [PATCH] Avoid buffer overflows in get_user_pages()
Date: Mon, 11 Feb 2008 21:16:52 -0600 [thread overview]
Message-ID: <47B10FA4.2000808@shaw.ca> (raw)
In-Reply-To: <fa.NNs+hqAlLlf93+yNZ/YJzSyGQbs@ifi.uio.no>
Nick Piggin wrote:
> On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
>> Avoid buffer overflows in get_user_pages()
>>
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit? It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>>
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1. At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().
>>
>> I think that, if get_user_pages() has been asked to grab zero pages,
>> that's what it should do. Thus this patch; it is, among other things,
>> enough to block the (already fixed) root exploit and any others which
>> might be lurking in similar code. I also think that the number of pages
>> should be unsigned, but changing the prototype of this function probably
>> requires some more careful review.
>>
>> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index e5628a5..7f50fd8 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
>> mm_struct *mm, int i;
>> unsigned int vm_flags;
>>
>> + if (len <= 0)
>> + return 0;
>
> BUG_ON()?
Well, not if the code involved in the exploit can pass a zero value,
otherwise it's just turning it into a DoS..
next parent reply other threads:[~2008-02-12 3:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.5jOFf0zR7ZoK3hLDItf3Omow4lE@ifi.uio.no>
[not found] ` <fa.NNs+hqAlLlf93+yNZ/YJzSyGQbs@ifi.uio.no>
2008-02-12 3:16 ` Robert Hancock [this message]
2008-02-12 5:56 ` [PATCH] Avoid buffer overflows in get_user_pages() Nick Piggin
[not found] <9VQ6w-5Xn-7@gated-at.bofh.it>
[not found] ` <9VY4a-1tI-21@gated-at.bofh.it>
2008-02-12 8:34 ` Bodo Eggert
2008-02-11 23:17 Jonathan Corbet
2008-02-11 23:45 ` Nick Piggin
2008-02-12 7:46 ` Andrew Morton
2008-02-12 10:35 ` Jiri Kosina
2008-02-14 16:45 ` Oliver Pinter
2008-02-14 21:09 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47B10FA4.2000808@shaw.ca \
--to=hancockr@shaw.ca \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=linux-kernel@vger.kernel.org \
--cc=nickpiggin@yahoo.com.au \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.