Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens <hca@xxxxxxxxxxxxx> wrote:
> On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote:
>
> Our CI reports this with linux-next and running strace selftest in
> compat mode:

Thanks a lot for the report! I managed track it down based on your
output, it turns out that I end up copying data from the stack according
to how much the user asked for, and in this case that was much more
than the 8 byte nodemask_t, copying all of the kernel stack all the
way into the guard page with CONFIG_VMAP_STACK, where it
crashed. Without CONFIG_VMAP_STACK, or with user space that
asks for less data, it would just be an information leak, so others
probably haven't noticed the problem.

The change below should fix that, I'll double-check the other callers
as well before sending a proper fixup patch to Andrew.

        Arnd

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4fabf2dddbc0..0d1f3be32723 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long
__user *mask, unsigned long maxnode,
                if (clear_user((char __user *)mask + nbytes, copy - nbytes))
                        return -EFAULT;
                copy = nbytes;
+               maxnode = nr_node_ids;
        }

        if (compat)



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux