Re: [Bug 216073] New: [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Sun, Jun 12, 2022 at 03:03:20PM +0200, Uladzislau Rezki wrote:
> > > @@ -181,8 +181,9 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
> > >  			return;
> > >  		}
> > >  
> > > -		offset = ptr - area->addr;
> > > -		if (offset + n > get_vm_area_size(area))
> > > +		/* XXX: We should also abort for free vmap_areas */
> > > +		offset = (unsigned long)ptr - area->va_start;
> > >
> > I was a bit confused about "offset" and why it is needed here. It is always zero. 
> > So we can get rid of it to make it less confused. From the other hand a zero offset
> > contributes to nothing.
> 
> I don't think offset is necessarily zero.  'ptr' is a pointer somewhere
> in the object, not necessarily the start of the object.
> 
Right you are. Just checked the __find_vmap_area() it returns VA of the address it
belongs to. Initially i was thinking that addr have to be exactly as va->start only,
so i was wrong.

> > >
> > > +		if (offset + n >= area->va_end)
> > >
> > I think it is a bit wrong. As i see it, "n" is a size and what we would like to do
> > here is boundary check:
> > 
> > <snip>
> > if (n > va_size(area))
> >     usercopy_abort("vmalloc", NULL, to_user, 0, n);
> > <snip>
> 
> Hmm ... we should probably be more careful about wrapping.
> 
>                 if (n > area->va_end - addr)
>                         usercopy_abort("vmalloc", NULL, to_user, offset, n);
> 
> ... and that goes for the whole function actually.  I'll split that into
> a separate change.
> 
Based on that offset can be > 0, checking "offset + n" with va->va_end is OK.

<snip>
if (offset + n > area->va_end)
    usercopy_abort("vmalloc", NULL, to_user, offset, n);
<snip>

--
Uladzislau Rezki




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux