From patchwork Wed Oct 6 12:42:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Matthew Wilcox (Oracle)" X-Patchwork-Id: 12539369 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D6FFC433F5 for ; Wed, 6 Oct 2021 12:45:17 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0102161130 for ; Wed, 6 Oct 2021 12:45:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0102161130 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 79121900002; Wed, 6 Oct 2021 08:45:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 716A66B0071; Wed, 6 Oct 2021 08:45:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5DE42900002; Wed, 6 Oct 2021 08:45:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0004.hostedemail.com [216.40.44.4]) by kanga.kvack.org (Postfix) with ESMTP id 47A436B006C for ; Wed, 6 Oct 2021 08:45:16 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id EEDCB8249980 for ; Wed, 6 Oct 2021 12:45:15 +0000 (UTC) X-FDA: 78665982990.39.B523442 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf07.hostedemail.com (Postfix) with ESMTP id AB0091001B22 for ; Wed, 6 Oct 2021 12:45:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=VDZiPZdOIoG2ugeSGOmR7uNCU45qsXkokayW5iVodM0=; b=kSxk8syTjJrPevoalbfUljbdqo rYuA+VprG9ZxF+pN0isiZ0a5ggNa8NruHbIqzic4EuqJegp+V8xP2UZhhatytHu1Dymhm9zQToOPl 9I6ETNMjdbQzdRf5ZOMRlgGnmWHaURnG+aXXAn6GW6l7CWrJE3u+3c3kWnlF4onXa0TTrQCLfP3Pw /0ORv1ai0o4ZHCAKkdDCkmeAg9/Pu2aAwMWDQWGoezISmoG7ZRJpmU4BKqpOO9MXc6l9r/c8YTVW4 LxKbG1dB3No5IIugGZCsgBBix4yk64mqup5h9p8tKX+PXkZlRtotZsRE7+6o7/yi1qEt/QQrklvej lStaadmA==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mY6Gr-000sXu-N4; Wed, 06 Oct 2021 12:43:59 +0000 From: "Matthew Wilcox (Oracle)" To: Kees Cook Cc: "Matthew Wilcox (Oracle)" , linux-mm@kvack.org, Thomas Gleixner Subject: [PATCH v2 2/3] mm/usercopy: Detect vmalloc overruns Date: Wed, 6 Oct 2021 13:42:25 +0100 Message-Id: <20211006124226.209484-3-willy@infradead.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211006124226.209484-1-willy@infradead.org> References: <20211006124226.209484-1-willy@infradead.org> MIME-Version: 1.0 Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=kSxk8syT; spf=none (imf07.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: AB0091001B22 X-Stat-Signature: oug4166xwrbqcsphqshu4s7w6zs9gih7 X-HE-Tag: 1633524315-504749 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: If you have a vmalloc() allocation, or an address from calling vmap(), you cannot overrun the vm_area which describes it, regardless of the size of the underlying allocation. This probably doesn't do much for security because vmalloc comes with guard pages these days, but it prevents usercopy aborts when copying to a vmap() of smaller pages. Signed-off-by: Matthew Wilcox (Oracle) Acked-by: Kees Cook --- mm/usercopy.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/mm/usercopy.c b/mm/usercopy.c index 8c039302465f..63476e1506e0 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -237,6 +238,21 @@ static inline void check_heap_object(const void *ptr, unsigned long n, return; } + if (is_vmalloc_addr(ptr)) { + struct vm_struct *vm = find_vm_area(ptr); + unsigned long offset; + + if (!vm) { + usercopy_abort("vmalloc", "no area", to_user, 0, n); + return; + } + + offset = ptr - vm->addr; + if (offset + n > vm->size) + usercopy_abort("vmalloc", NULL, to_user, offset, n); + return; + } + page = virt_to_head_page(ptr); if (PageSlab(page)) {