From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Greg Hackmann <ghackmann@google.com>,
Will Deacon <will.deacon@arm.com>
Subject: [PATCH 3.18 39/56] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
Date: Mon, 3 Sep 2018 18:49:29 +0200 [thread overview]
Message-ID: <20180903164926.005307025@linuxfoundation.org> (raw)
In-Reply-To: <20180903164924.078355019@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Hackmann <ghackmann@android.com>
commit 5ad356eabc47d26a92140a0c4b20eba471c10de3 upstream.
ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input
before seeing if the PFN is valid. This leads to false positives when
some of the upper bits are set, but the lower bits match a valid PFN.
For example, the following userspace code looks up a bogus entry in
/proc/kpageflags:
int pagemap = open("/proc/self/pagemap", O_RDONLY);
int pageflags = open("/proc/kpageflags", O_RDONLY);
uint64_t pfn, val;
lseek64(pagemap, [...], SEEK_SET);
read(pagemap, &pfn, sizeof(pfn));
if (pfn & (1UL << 63)) { /* valid PFN */
pfn &= ((1UL << 55) - 1); /* clear flag bits */
pfn |= (1UL << 55);
lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET);
read(pageflags, &val, sizeof(val));
}
On ARM64 this causes the userspace process to crash with SIGSEGV rather
than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as
valid, and stable_page_flags() will try to access an address between the
user and kernel address ranges.
Fixes: c1cc1552616d ("arm64: MMU initialisation")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/init.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/mm/init.c
+++ b/arch/arm64/mm/init.c
@@ -116,7 +116,11 @@ static void __init zone_sizes_init(unsig
#ifdef CONFIG_HAVE_ARCH_PFN_VALID
int pfn_valid(unsigned long pfn)
{
- return memblock_is_memory(pfn << PAGE_SHIFT);
+ phys_addr_t addr = pfn << PAGE_SHIFT;
+
+ if ((addr >> PAGE_SHIFT) != pfn)
+ return 0;
+ return memblock_is_memory(addr);
}
EXPORT_SYMBOL(pfn_valid);
#endif
next prev parent reply other threads:[~2018-09-03 16:49 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-03 16:48 [PATCH 3.18 00/56] 3.18.121-stable review Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 01/56] sched/sysctl: Check user input value of sysctl_sched_time_avg Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 02/56] Cipso: cipso_v4_optptr enter infinite loop Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 03/56] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 04/56] xfrm: free skb if nlsk pointer is NULL Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 05/56] mac80211: add stations tied to AP_VLANs during hw reconfig Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 06/56] nl80211: Add a missing break in parse_station_flags Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 07/56] scsi: libiscsi: fix possible NULL pointer dereference in case of TMF Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 08/56] drm/imx: imx-ldb: disable LDB on driver bind Greg Kroah-Hartman
2018-09-03 16:48 ` [PATCH 3.18 09/56] drm/imx: imx-ldb: check if channel is enabled before printing warning Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 10/56] usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 11/56] usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 12/56] usb/phy: fix PPC64 build errors in phy-fsl-usb.c Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 14/56] usb: gadget: f_uac2: fix endianness of struct cntrl_*_lay3 Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 15/56] tools/power turbostat: fix -S on UP systems Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 16/56] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 17/56] atl1c: reserve min skb headroom Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 18/56] can: mpc5xxx_can: check of_iomap return before use Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 19/56] media: staging: omap4iss: Include asm/cacheflush.h after generic includes Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 20/56] bnx2x: Fix invalid memory access in rss hash config path Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 21/56] net: axienet: Fix double deregister of mdio Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 22/56] fscache: Allow cancelled operations to be enqueued Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 23/56] cachefiles: Fix refcounting bug in backing-file read monitoring Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 24/56] cachefiles: Wait rather than BUGing on "Unexpected object collision" Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 25/56] selftests/ftrace: Add snapshot and tracing_on test case Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 26/56] zswap: re-check zswap_is_full() after do zswap_shrink() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 27/56] tools/power turbostat: Read extended processor family from CPUID Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 29/56] enic: handle mtu change for vf properly Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 30/56] arc: fix build errors in arc/include/asm/delay.h Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 31/56] arc: fix type warnings in arc/mm/cache.c Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 32/56] drivers: net: lmc: fix case value for target abort error Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 33/56] scsi: fcoe: drop frames in ELS LOGO error path Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 34/56] scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 35/56] mm/memory.c: check return value of ioremap_prot Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 36/56] btrfs: dont leak ret from do_chunk_alloc Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 37/56] s390/kvm: fix deadlock when killed by oom Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 38/56] ext4: reset error code in ext4_find_entry in fallback Greg Kroah-Hartman
2018-09-03 16:49 ` Greg Kroah-Hartman [this message]
2018-09-03 16:49 ` [PATCH 3.18 40/56] KVM: arm/arm64: Skip updating PTE entry if no change Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 41/56] KVM: arm/arm64: Skip updating PMD " Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 42/56] x86/process: Re-export start_thread() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 43/56] fuse: Dont access pipe->buffers without pipe_lock() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 44/56] fuse: Add missed unlock_page() to fuse_readpages_fill() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 45/56] udl-kms: change down_interruptible to down Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 46/56] udl-kms: handle allocation failure Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 47/56] udl-kms: fix crash due to uninitialized memory Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 48/56] ASoC: sirf: Fix potential NULL pointer dereference Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 50/56] s390/qdio: reset old sbal_state flags Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 51/56] s390/pci: fix out of bounds access during irq setup Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 52/56] kprobes: Make list and blacklist root user read only Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 53/56] MIPS: Correct the 64-bit DSP accumulator register size Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 54/56] scsi: sysfs: Introduce sysfs_{un,}break_active_protection() Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 55/56] scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock Greg Kroah-Hartman
2018-09-03 16:49 ` [PATCH 3.18 56/56] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status Greg Kroah-Hartman
2018-09-04 0:42 ` [PATCH 3.18 00/56] 3.18.121-stable review Nathan Chancellor
2018-09-04 19:20 ` Shuah Khan
2018-09-04 22:50 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180903164926.005307025@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ghackmann@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).