From: Chris Wright <chrisw@osdl.org>
To: "Zou, Nanhai" <nanhai.zou@intel.com>
Cc: Hugh Dickins <hugh@veritas.com>, Chris Wright <chrisw@osdl.org>,
Andrew Morton <akpm@osdl.org>, Linus Torvalds <torvalds@osdl.org>,
"Luck, Tony" <tony.luck@intel.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Andi Kleen <ak@suse.de>,
linux-kernel@vger.kernel.org, linux-ia64@vger.kernel.org
Subject: Re: [PATCH 1/2] setup_arg_pages can insert overlapping vma
Date: Wed, 24 Nov 2004 20:38:32 +0000 [thread overview]
Message-ID: <20041124123829.U2357@build.pdx.osdl.net> (raw)
In-Reply-To: <894E37DECA393E4D9374E0ACBBE7427013C9AB@pdsmsx402.ccr.corp.intel.com>; from nanhai.zou@intel.com on Wed, Nov 24, 2004 at 09:04:28AM +0800
* Zou, Nanhai (nanhai.zou@intel.com) wrote:
> <<ia64-vm-overlap.tar.gz>> <<vma-overlap-fix.patch>> I think ia64 ia32
> subsystem is not vulnerable to this kind of overlapping vm problem,
> because it does not support a.out binary format,
I am able to map a section over the arg pages, and for some reason this
case segfaults (in the application). Disassembly shows garbage left
behind in that page. AFAICT, this can only cause the app to segfault in
userspace.
> X84_64 is vulnerable to this.
>
> just do a
> perl -e'print"\x07\x01".("\x00"x10)."\x00\xe0\xff\xff".("\x00"x16)'>
> evilaout
> you will get it.
>
> and IA64 is also vulnerable to this kind of bug in 64 bit elf support,
> it just insert a vma of zero page without checking overlap, so user can
> construct a elf with section begin from 0x0 to trigger this BUGON().I
> attach a testcase to trigger this bug
Yes, I was able to reproduce a similar bug last night on ia64 by placing
a 1k section at 0x1000, and this patch indeed fixes it up.
> I don't know what about s390. However, I think it's safe to check
> overlap before we actually insert a vma into vma list.
>
> And I also feel check vma overlap everywhere is unnecessary, because
> invert_vm_struct will check it again, so the check is duplicated. It's
> better to have invert_vm_struct return a value then let caller check if
> it successes.
Yes I agree. That's the question I asked early on. With no answer I
took defensive route to be sure the BUG() wasn't there for some valid
reason I was missing. This looks better.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
next prev parent reply other threads:[~2004-11-24 20:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20041124152250.GA4797@mschwid3.boeblingen.de.ibm.com>
2004-11-24 1:04 ` [PATCH 1/2] setup_arg_pages can insert overlapping vma Zou, Nanhai
2004-11-24 1:23 ` Andrew Morton
2004-11-24 10:45 ` Andi Kleen
2004-11-24 16:30 ` Hugh Dickins
2004-11-24 16:41 ` Hugh Dickins
2004-11-24 17:51 ` Luck, Tony
2004-11-24 20:38 ` Chris Wright [this message]
2004-11-25 0:44 ` Zou, Nanhai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041124123829.U2357@build.pdx.osdl.net \
--to=chrisw@osdl.org \
--cc=ak@suse.de \
--cc=akpm@osdl.org \
--cc=hugh@veritas.com \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nanhai.zou@intel.com \
--cc=schwidefsky@de.ibm.com \
--cc=tony.luck@intel.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox