[Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=216073

--- Comment #13 from willy@xxxxxxxxxxxxx ---
On Sun, Jun 12, 2022 at 03:03:20PM +0200, Uladzislau Rezki wrote:
> > @@ -181,8 +181,9 @@ static inline void check_heap_object(const void *ptr,
> unsigned long n,
> >                     return;
> >             }
> >  
> > -           offset = ptr - area->addr;
> > -           if (offset + n > get_vm_area_size(area))
> > +           /* XXX: We should also abort for free vmap_areas */
> > +           offset = (unsigned long)ptr - area->va_start;
> >
> I was a bit confused about "offset" and why it is needed here. It is always
> zero. 
> So we can get rid of it to make it less confused. From the other hand a zero
> offset
> contributes to nothing.

I don't think offset is necessarily zero.  'ptr' is a pointer somewhere
in the object, not necessarily the start of the object.

> >
> > +           if (offset + n >= area->va_end)
> >
> I think it is a bit wrong. As i see it, "n" is a size and what we would like
> to do
> here is boundary check:
> 
> <snip>
> if (n > va_size(area))
>     usercopy_abort("vmalloc", NULL, to_user, 0, n);
> <snip>

Hmm ... we should probably be more careful about wrapping.

                if (n > area->va_end - addr)
                        usercopy_abort("vmalloc", NULL, to_user, offset, n);

... and that goes for the whole function actually.  I'll split that into
a separate change.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching someone on the CC list of the bug.



[Index of Archives]     [XFS Filesystem Development (older mail)]     [Linux Filesystem Development]     [Linux Audio Users]     [Yosemite Trails]     [Linux Kernel]     [Linux RAID]     [Linux SCSI]


  Powered by Linux