On Thu, 16 Dec 2021 at 21:55, Matthew Wilcox (Oracle)
<willy@xxxxxxxxxxxxx> wrote:
>
> If you have a vmalloc() allocation, or an address from calling vmap(),
> you cannot overrun the vm_area which describes it, regardless of the
> size of the underlying allocation. This probably doesn't do much for
> security because vmalloc comes with guard pages these days, but it
> prevents usercopy aborts when copying to a vmap() of smaller pages.
...
> + offset = ptr - vm->addr;
> + if (offset + n > vm->size)
> + usercopy_abort("vmalloc", NULL, to_user, offset, n);
> + return;
> + }
Instead of vm->size, call get_vm_area_size() so any guard page is
trimmed from the length.
Mark
