From: Sami Tolvanen <samitolvanen@google.com>
To: Andrii Kuchmenko <capyenglishlite@gmail.com>
Cc: linux-modules@vger.kernel.org, chleroy@kernel.org,
mcgrof@kernel.org, dmitry.torokhov@gmail.com,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2] module: decompress: check return value of module_extend_max_pages()
Date: Tue, 19 May 2026 21:23:28 +0000 [thread overview]
Message-ID: <20260519212328.GA2614626@google.com> (raw)
In-Reply-To: <20260518143233.16091-1-capyenglishlite@gmail.com>
Hi Andrii,
On Mon, May 18, 2026 at 05:32:33PM +0300, Andrii Kuchmenko wrote:
> module_extend_max_pages() calls kvrealloc() internally and returns
> -ENOMEM on allocation failure. The return value is never checked.
We should definitely fix this, but I'm not sure the rest of the
commit message is entirely accurate.
> The decompression loop then continues calling module_get_next_page(),
> which writes struct page pointers into info->pages[]. When used_pages
> reaches the stale max_pages value (not updated due to the failed
> extend), a subsequent write to info->pages[used_pages++] goes out of
> bounds into adjacent heap memory.
>
> Adjacent slab objects in the same kmalloc cache (pipe_buffer,
> seq_operations, cred) can be corrupted, potentially leading to local
> privilege escalation on kernels without SLAB_VIRTUAL mitigation.
Looking at the code:
- struct load_info info is zero-initialized in init_module_from_file().
- If module_extend_max_pages() fails, info->pages remains NULL and
info->max_pages and info->used_pages both remain 0.
- module_get_next_page() sees info->max_pages == info->used_pages
immediately and calls module_extend_max_pages(info, 0).
- kvrealloc() is called with a size of 0 and it returns ZERO_SIZE_PTR.
- Because ZERO_SIZE_PTR != NULL, module_extend_max_pages() sets
info->pages to ZERO_SIZE_PTR and returns 0.
- module_get_next_page() writes to info->pages[info->used_pages++],
and the write to ZERO_SIZE_PTR results in an immediate oops.
This isn't great, but I do not see a potential for an out-of-bounds
write or slab corruption in this specific case. What am I missing?
Sami
next prev parent reply other threads:[~2026-05-19 21:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 14:32 [PATCH v2] module: decompress: check return value of module_extend_max_pages() Andrii Kuchmenko
2026-05-18 16:21 ` Christophe Leroy (CS GROUP)
2026-05-19 14:56 ` Christophe Leroy (CS GROUP)
2026-05-19 21:23 ` Sami Tolvanen [this message]
[not found] ` <CAEABq7f3agKZqrBiu+UwXHY44mTcK360ryg-i0w=wEc_Lv+T0A@mail.gmail.com>
2026-05-20 15:12 ` Sami Tolvanen
2026-05-20 16:05 ` Afi0
2026-05-20 21:33 ` Christophe Leroy (CS GROUP)
-- strict thread matches above, loose matches on Subject: below --
2026-05-18 12:18 Andrii Kuchmenko
2026-05-18 12:57 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519212328.GA2614626@google.com \
--to=samitolvanen@google.com \
--cc=capyenglishlite@gmail.com \
--cc=chleroy@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox