From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Yonghua Zheng <younghua.zheng@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 02/34] fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
Date: Sun, 18 Aug 2013 13:34:15 -0700 [thread overview]
Message-ID: <20130818203259.828284927@linuxfoundation.org> (raw)
In-Reply-To: <20130818203259.653403173@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: yonghua zheng <younghua.zheng@gmail.com>
commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream.
Recently we met quite a lot of random kernel panic issues after enabling
CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
to do with following bug in pagemap:
In struct pagemapread:
struct pagemapread {
int pos, len;
pagemap_entry_t *buffer;
bool v2;
};
pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
buffer, it is a mistake to compare pos and len in add_page_map() for
checking buffer is full or not, and this can lead to buffer overflow and
random kernel panic issue.
Correct len to be total number of PM_ENTRY_BYTES in buffer.
[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/task_mmu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -679,14 +679,14 @@ typedef struct {
} pagemap_entry_t;
struct pagemapread {
- int pos, len;
+ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
pagemap_entry_t *buffer;
};
#define PAGEMAP_WALK_SIZE (PMD_SIZE)
#define PAGEMAP_WALK_MASK (PMD_MASK)
-#define PM_ENTRY_BYTES sizeof(u64)
+#define PM_ENTRY_BYTES sizeof(pagemap_entry_t)
#define PM_STATUS_BITS 3
#define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
#define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
@@ -913,8 +913,8 @@ static ssize_t pagemap_read(struct file
if (!count)
goto out_task;
- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
+ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
+ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
ret = -ENOMEM;
if (!pm.buffer)
goto out_task;
next prev parent reply other threads:[~2013-08-18 20:49 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-18 20:34 [ 00/34] 3.4.59-stable review Greg Kroah-Hartman
2013-08-18 20:34 ` [ 01/34] perf/arm: Fix armpmu_map_hw_event() Greg Kroah-Hartman
2013-08-18 20:34 ` Greg Kroah-Hartman [this message]
2013-08-18 20:34 ` [ 03/34] drm/i915/lvds: ditch ->prepare special case Greg Kroah-Hartman
2013-08-18 20:34 ` [ 04/34] MIPS: Expose missing pci_io{map,unmap} declarations Greg Kroah-Hartman
2013-08-18 20:34 ` [ 05/34] microblaze: Update microblaze defconfigs Greg Kroah-Hartman
2013-08-18 20:34 ` [ 06/34] sound: Fix make allmodconfig on MIPS Greg Kroah-Hartman
2013-08-18 20:34 ` [ 07/34] sound: Fix make allmodconfig on MIPS correctly Greg Kroah-Hartman
2013-08-18 20:34 ` [ 08/34] HID: microsoft: do not use compound literal - fix build Greg Kroah-Hartman
2013-08-18 20:34 ` [ 09/34] vm: add no-mmu vm_iomap_memory() stub Greg Kroah-Hartman
2013-08-18 20:34 ` [ 10/34] cris: posix_types.h, include asm-generic/posix_types.h Greg Kroah-Hartman
2013-08-18 20:34 ` [ 11/34] cris: Remove old legacy "-traditional" flag from arch-v10/lib/Makefile Greg Kroah-Hartman
2013-08-18 20:34 ` [ 12/34] CRIS: Add _sdata to vmlinux.lds.S Greg Kroah-Hartman
2013-08-18 20:34 ` [ 13/34] futex: Take hugepages into account when generating futex_key Greg Kroah-Hartman
2013-08-18 20:34 ` [ 14/34] frv: Use correct size for task_struct allocation Greg Kroah-Hartman
2013-08-18 20:34 ` [ 15/34] frv: Use core allocator for task_struct Greg Kroah-Hartman
2013-08-18 20:34 ` [ 16/34] powerpc/numa: Avoid stupid uninitialized warning from gcc Greg Kroah-Hartman
2013-08-18 20:34 ` [ 17/34] alpha: makefile: dont enforce small data model for kernel builds Greg Kroah-Hartman
2013-08-18 20:34 ` [ 18/34] md/raid1,raid10: use freeze_array in place of raise_barrier in various places Greg Kroah-Hartman
2013-08-18 20:34 ` [ 19/34] sparc32: add ucmpdi2 Greg Kroah-Hartman
2013-08-18 20:34 ` [ 20/34] sparc32: Add ucmpdi2.o to obj-y instead of lib-y Greg Kroah-Hartman
2013-08-18 20:34 ` [ 21/34] MIPS: Rewrite pfn_valid to work in modules, too Greg Kroah-Hartman
2013-08-18 20:34 ` [ 22/34] af_key: initialize satype in key_notify_policy_flush() Greg Kroah-Hartman
2013-08-18 20:34 ` [ 23/34] iwl4965: set power mode early Greg Kroah-Hartman
2013-08-18 20:34 ` [ 24/34] iwl4965: reset firmware after rfkill off Greg Kroah-Hartman
2013-08-18 20:34 ` [ 25/34] can: pcan_usb: fix wrong memcpy() bytes length Greg Kroah-Hartman
2013-08-18 20:34 ` [ 26/34] genetlink: fix family dump race Greg Kroah-Hartman
2013-08-18 20:34 ` [ 27/34] usb: add two quirky touchscreen Greg Kroah-Hartman
2013-08-18 20:34 ` [ 28/34] USB: mos7720: fix broken control requests Greg Kroah-Hartman
2013-08-18 20:34 ` [ 29/34] xtensa: fix linker script transformation for .text.unlikely Greg Kroah-Hartman
2013-08-18 20:34 ` [ 30/34] xtensa: replace xtensa-specific _f{data,text} by _s{data,text} Greg Kroah-Hartman
2013-08-18 20:34 ` [ 31/34] ARM: 7809/1: perf: fix event validation for software group leaders Greg Kroah-Hartman
2013-08-18 20:34 ` [ 32/34] m68k: Truncate base in do_div() Greg Kroah-Hartman
2013-08-18 20:34 ` [ 33/34] m68k/atari: ARAnyM - Fix NatFeat module support Greg Kroah-Hartman
2013-08-18 20:34 ` [ 34/34] jbd2: Fix use after free after error in jbd2_journal_dirty_metadata() Greg Kroah-Hartman
2013-08-19 1:49 ` [ 00/34] 3.4.59-stable review Guenter Roeck
2013-08-19 18:02 ` Shuah Khan
2013-08-19 19:35 ` Greg Kroah-Hartman
2013-08-19 20:14 ` Stefan Lippers-Hollmann
2013-08-19 22:22 ` Shuah Khan
2013-08-19 22:30 ` Greg Kroah-Hartman
2013-08-20 7:36 ` Berg, Johannes
2013-08-20 15:24 ` Greg Kroah-Hartman
2013-08-20 15:32 ` Berg, Johannes
2013-08-20 15:53 ` Hugh Dickins
2013-08-20 16:03 ` Greg Kroah-Hartman
2013-08-20 16:25 ` Hugh Dickins
2013-08-20 16:43 ` Steven Rostedt
2013-08-20 16:43 ` Shuah Khan
2013-08-19 22:31 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130818203259.828284927@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=younghua.zheng@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).