From patchwork Tue May  1 20:11:43 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Laura Abbott <labbott@redhat.com>
X-Patchwork-Id: 10374405
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	BF17E60234 for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  1 May 2018 20:12:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AF1EE28D14
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  1 May 2018 20:12:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A3A4A28D30; Tue,  1 May 2018 20:12:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI autolearn=unavailable version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 11F7E28D14
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  1 May 2018 20:12:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:
	Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	References:List-Owner; bh=g5J8IsmAqiYMIkIIemKuM83YybwDK7AF2vLJBBaK6hw=;
	b=UZT
	jx5bIxsltpet6SeakiX5ZtAMs9Tc1nstZc1Id7NjDKF8PSG5oGDXpcv9zV2LSq4YyXiw5t2HWEo3x
	R63DY3i4S9IWjOzGEWCPB00bW3NS3Rg58hkSNuQfUie02LfwHCYVCltrTU/0SPUS55BcY9YvA5gdy
	4PczLa6ejmknmm2S9yBX/49ijNbtK3yw7O8boO1s5n+NMbS/3NNbp8ZYG/f9SMJIDzK83744ZgGCk
	EHCSNyJtM9U9E+sr2uo8uVkcomS9K7V/cCZ8IN2UKI9ybN4dw1MPnkmf5YlY+nP+OrHmJyQfHKd5N
	ojW+pX+UMXhLNUlQs6rpqBXEKUgLoIA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fDbd9-0001Gx-EK; Tue, 01 May 2018 20:12:07 +0000
Received: from mail-oi0-f67.google.com ([209.85.218.67])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1fDbd5-0001Fj-Ap
	for linux-arm-kernel@lists.infradead.org;
	Tue, 01 May 2018 20:12:04 +0000
Received: by mail-oi0-f67.google.com with SMTP id b130-v6so10997904oif.12
	for <linux-arm-kernel@lists.infradead.org>;
	Tue, 01 May 2018 13:11:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to;
	bh=1jpndx3lyBvZ4U5s8bcVCYLyrPiARIZLbZdvg9XPZeY=;
	b=gArev/0T2m/XnDHYp7JCGOLUUJZj3phLbAqivn6ppGwFBeTn+PdWf6keCVjQzfOTyZ
	WJ8jbS9+DgA3J6lCpMlGRPz0bCcTxla3yAoslt4iAcY8chN8guxZlHViSLug5OQcrjBF
	wxAhhy3yM76Ubl2u/eezQJMpFrog+icVQGl/0BNmPSbnNf+Wm+b3R4m441QWcn/QMEz7
	T4c6qWZqOwHyQL/WzUKMqs7Ca2w1ONyftjOnxP9UdGXtbRKL7/FJE1eqT85zxEqaVtTk
	SBo7BvksD7+gc3eQWUlX8l4RcbtYa/EWlWLlkW8PGWX095BFPo9vbw0xXDvpyfyXBU6u
	btig==
X-Gm-Message-State: ALQs6tDg8y5+xBFpk1Q7+KLIQIgXO/y+zVtdmUvaYkXo71Gru3FSwEAc
	1VXdyyCtZ624R/gMtGAnR+QQbA==
X-Google-Smtp-Source: 
 AB8JxZqyaZsZLz9xMNKk7f//2yMv12Q14Gyv4lNr4rEipoNOx4DCKO0c3kT8dfFkE1eB0IjRGAAiPg==
X-Received: by 2002:aca:fdc9:: with SMTP id
	b192-v6mr10014185oii.16.1525205512059;
	Tue, 01 May 2018 13:11:52 -0700 (PDT)
Received: from labbott-redhat.redhat.com ([2601:602:9802:a8dc::d2dd])
	by smtp.gmail.com with ESMTPSA id
	n14-v6sm5129002otf.8.2018.05.01.13.11.50
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 01 May 2018 13:11:51 -0700 (PDT)
From: Laura Abbott <labbott@redhat.com>
To: Dave Anderson <anderson@redhat.com>, Kees Cook <keescook@chromium.org>,
	akpm@linux-foundation.org
Subject: [PATCH] proc/kcore: Don't bounds check against address 0
Date: Tue,  1 May 2018 13:11:43 -0700
Message-Id: <20180501201143.15121-1-labbott@redhat.com>
X-Mailer: git-send-email 2.14.3
In-Reply-To: <1039518799.26129578.1525185916272.JavaMail.zimbra@redhat.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180501_131203_373505_05D50A01 
X-CRM114-Status: GOOD (  16.25  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, Andi Kleen <andi@firstfloor.org>,
	Laura Abbott <labbott@redhat.com>, Ingo Molnar <mingo@kernel.org>,
	linux-arm-kernel@lists.infradead.org
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

The existing kcore code checks for bad addresses against
__va(0) with the assumption that this is the lowest address
on the system. This may not hold true on some systems (e.g.
arm64) and produce overflows and crashes. Switch to using
other functions to validate the address range.

Tested-by: Dave Anderson <anderson@redhat.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
---
I took your previous comments as a tested by, please let me know if that
was wrong. This should probably just go through -mm. I don't think this
is necessary for stable but I can request it later if necessary.
---
 fs/proc/kcore.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index d1e82761de81..e64ecb9f2720 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -209,25 +209,34 @@ kclist_add_private(unsigned long pfn, unsigned long nr_pages, void *arg)
 {
 	struct list_head *head = (struct list_head *)arg;
 	struct kcore_list *ent;
+	struct page *p;
+
+	if (!pfn_valid(pfn))
+		return 1;
+
+	p = pfn_to_page(pfn);
+	if (!memmap_valid_within(pfn, p, page_zone(p)))
+		return 1;
 
 	ent = kmalloc(sizeof(*ent), GFP_KERNEL);
 	if (!ent)
 		return -ENOMEM;
-	ent->addr = (unsigned long)__va((pfn << PAGE_SHIFT));
+	ent->addr = (unsigned long)page_to_virt(p);
 	ent->size = nr_pages << PAGE_SHIFT;
 
-	/* Sanity check: Can happen in 32bit arch...maybe */
-	if (ent->addr < (unsigned long) __va(0))
+	if (!virt_addr_valid(ent->addr))
 		goto free_out;
 
 	/* cut not-mapped area. ....from ppc-32 code. */
 	if (ULONG_MAX - ent->addr < ent->size)
 		ent->size = ULONG_MAX - ent->addr;
 
-	/* cut when vmalloc() area is higher than direct-map area */
-	if (VMALLOC_START > (unsigned long)__va(0)) {
-		if (ent->addr > VMALLOC_START)
-			goto free_out;
+	/*
+	 * We've already checked virt_addr_valid so we know this address
+	 * is a valid pointer, therefore we can check against it to determine
+	 * if we need to trim
+	 */
+	if (VMALLOC_START > ent->addr) {
 		if (VMALLOC_START - ent->addr < ent->size)
 			ent->size = VMALLOC_START - ent->addr;
 	}