From patchwork Mon Oct  4 22:42:22 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Wilcox <willy@infradead.org>
X-Patchwork-Id: 12535081
Return-Path: <SRS0=Fowb=OY=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9AD20C433EF
	for <linux-mm@archiver.kernel.org>; Mon,  4 Oct 2021 22:45:10 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 37C0861407
	for <linux-mm@archiver.kernel.org>; Mon,  4 Oct 2021 22:45:10 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 37C0861407
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=infradead.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 8DF95940073; Mon,  4 Oct 2021 18:45:09 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 88F1394000B; Mon,  4 Oct 2021 18:45:09 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 77E63940073; Mon,  4 Oct 2021 18:45:09 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0198.hostedemail.com
 [216.40.44.198])
	by kanga.kvack.org (Postfix) with ESMTP id 6672294000B
	for <linux-mm@kvack.org>; Mon,  4 Oct 2021 18:45:09 -0400 (EDT)
Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 209603207A
	for <linux-mm@kvack.org>; Mon,  4 Oct 2021 22:45:09 +0000 (UTC)
X-FDA: 78660237138.05.ABB16D5
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf26.hostedemail.com (Postfix) with ESMTP id CF40620061CB
	for <linux-mm@kvack.org>; Mon,  4 Oct 2021 22:45:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version:
	References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
	Content-Type:Content-ID:Content-Description;
	bh=xo8dM9lluT6Si5UeuSZCoPD7FDaxI+l3q2VgSdl1KPc=; b=bIhgC4qYxfp5W2LAjbC/oDUw5C
	WU7MyODAY7I7LFvJYwrAAMcC3U62HhQT2X78JxgVihaH8sWq3JIUyHB08/m0y58R0PCLVW5ZsOAv1
	NlXVgrXRdbZle4l4sSiqRzOHblMjbUZoUn3+yyLzQ0qmSu1o/voThOgTsYArq3adccQIBInqZ1Bca
	0rop/IbLNu8mhTrs1rp6s0dB0bRyk0gD8XHCjDx7g/TlBBX/dQHcJKYPJOeuT48a929cciQkjuz53
	tkqEPaCGiVGp3NxR8PwLli0FDyeR9+u/Kbr1g2cyK0SoWge4aukN0sRxeWZOgbJqpBcEZTux3UY1t
	NlHPYLBg==;
Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red
 Hat Linux))
	id 1mXWge-00HMW5-QX; Mon, 04 Oct 2021 22:44:17 +0000
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>,
	linux-mm@kvack.org,
	Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH 2/3] mm/usercopy: Detect vmalloc overruns
Date: Mon,  4 Oct 2021 23:42:22 +0100
Message-Id: <20211004224224.4137992-3-willy@infradead.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211004224224.4137992-1-willy@infradead.org>
References: <20211004224224.4137992-1-willy@infradead.org>
MIME-Version: 1.0
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: CF40620061CB
X-Stat-Signature: hj46utxwihaxdmbk9htqu6bsjp8oqddq
Authentication-Results: imf26.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=bIhgC4qY;
	dmarc=none;
	spf=none (imf26.hostedemail.com: domain of willy@infradead.org has no SPF
 policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org
X-HE-Tag: 1633387508-338025
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

If you have a vmalloc() allocation, or an address from calling vmap(),
you cannot overrun the vm_area which describes it, regardless of the
size of the underlying allocation.  This probably doesn't do much for
security because vmalloc comes with guard pages these days, but it
prevents usercopy aborts when copying to a vmap() of smaller pages.

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
---
 mm/usercopy.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/mm/usercopy.c b/mm/usercopy.c
index ac95b22fbbce..7bfc4f9ed1e4 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -17,6 +17,7 @@
 #include <linux/sched/task.h>
 #include <linux/sched/task_stack.h>
 #include <linux/thread_info.h>
+#include <linux/vmalloc.h>
 #include <linux/atomic.h>
 #include <linux/jump_label.h>
 #include <asm/sections.h>
@@ -236,6 +237,14 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
 		return;
 	}
 
+	if (is_vmalloc_addr(ptr)) {
+		struct vm_struct *vm = find_vm_area(ptr);
+
+		if (ptr + n > vm->addr + vm->size)
+			usercopy_abort("vmalloc", NULL, to_user, 0, n);
+		return;
+	}
+
 	page = virt_to_head_page(ptr);
 
 	if (PageSlab(page)) {