+ nommu-check-that-access_process_vm-has-a-valid-target.patch added to -mm tree

akpm@xxxxxxxx · Wed, 30 Aug 2006 14:07:45 -0700

The patch titled

     NOMMU: Check that access_process_vm() has a valid target

has been added to the -mm tree.  Its filename is

     nommu-check-that-access_process_vm-has-a-valid-target.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: NOMMU: Check that access_process_vm() has a valid target
From: David Howells <dhowells@xxxxxxxxxx>

Check that access_process_vm() is accessing a valid mapping in the target
process.

This limits ptrace() accesses and accesses through /proc/<pid>/maps to only
those regions actually mapped by a program.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 kernel/ptrace.c |   54 ----------------------------------------------
 mm/memory.c     |   53 +++++++++++++++++++++++++++++++++++++++++++++
 mm/nommu.c      |   47 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+), 54 deletions(-)

diff -puN kernel/ptrace.c~nommu-check-that-access_process_vm-has-a-valid-target kernel/ptrace.c

--- a/kernel/ptrace.c~nommu-check-that-access_process_vm-has-a-valid-target
+++ a/kernel/ptrace.c
@@ -241,60 +241,6 @@ int ptrace_detach(struct task_struct *ch
 	return 0;
 }
 
-/*
- * Access another process' address space.
- * Source/target buffer must be kernel space, 
- * Do not walk the page table directly, use get_user_pages
- */
-
-int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
-{
-	struct mm_struct *mm;
-	struct vm_area_struct *vma;
-	struct page *page;
-	void *old_buf = buf;
-
-	mm = get_task_mm(tsk);
-	if (!mm)
-		return 0;
-
-	down_read(&mm->mmap_sem);
-	/* ignore errors, just check how much was sucessfully transfered */
-	while (len) {
-		int bytes, ret, offset;
-		void *maddr;
-
-		ret = get_user_pages(tsk, mm, addr, 1,
-				write, 1, &page, &vma);
-		if (ret <= 0)
-			break;
-
-		bytes = len;
-		offset = addr & (PAGE_SIZE-1);
-		if (bytes > PAGE_SIZE-offset)
-			bytes = PAGE_SIZE-offset;
-
-		maddr = kmap(page);
-		if (write) {
-			copy_to_user_page(vma, page, addr,
-					  maddr + offset, buf, bytes);
-			set_page_dirty_lock(page);
-		} else {
-			copy_from_user_page(vma, page, addr,
-					    buf, maddr + offset, bytes);
-		}
-		kunmap(page);
-		page_cache_release(page);
-		len -= bytes;
-		buf += bytes;
-		addr += bytes;
-	}
-	up_read(&mm->mmap_sem);
-	mmput(mm);
-	
-	return buf - old_buf;
-}
-
 int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst, int len)
 {
 	int copied = 0;
diff -puN mm/memory.c~nommu-check-that-access_process_vm-has-a-valid-target mm/memory.c
--- a/mm/memory.c~nommu-check-that-access_process_vm-has-a-valid-target
+++ a/mm/memory.c
@@ -2550,3 +2550,56 @@ int in_gate_area_no_task(unsigned long a
 }
 
 #endif	/* __HAVE_ARCH_GATE_AREA */
+
+/*
+ * Access another process' address space.
+ * Source/target buffer must be kernel space,
+ * Do not walk the page table directly, use get_user_pages
+ */
+int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
+{
+	struct mm_struct *mm;
+	struct vm_area_struct *vma;
+	struct page *page;
+	void *old_buf = buf;
+
+	mm = get_task_mm(tsk);
+	if (!mm)
+		return 0;
+
+	down_read(&mm->mmap_sem);
+	/* ignore errors, just check how much was sucessfully transfered */
+	while (len) {
+		int bytes, ret, offset;
+		void *maddr;
+
+		ret = get_user_pages(tsk, mm, addr, 1,
+				write, 1, &page, &vma);
+		if (ret <= 0)
+			break;
+
+		bytes = len;
+		offset = addr & (PAGE_SIZE-1);
+		if (bytes > PAGE_SIZE-offset)
+			bytes = PAGE_SIZE-offset;
+
+		maddr = kmap(page);
+		if (write) {
+			copy_to_user_page(vma, page, addr,
+					  maddr + offset, buf, bytes);
+			set_page_dirty_lock(page);
+		} else {
+			copy_from_user_page(vma, page, addr,
+					    buf, maddr + offset, bytes);
+		}
+		kunmap(page);
+		page_cache_release(page);
+		len -= bytes;
+		buf += bytes;
+		addr += bytes;
+	}
+	up_read(&mm->mmap_sem);
+	mmput(mm);
+
+	return buf - old_buf;
+}
diff -puN mm/nommu.c~nommu-check-that-access_process_vm-has-a-valid-target mm/nommu.c
--- a/mm/nommu.c~nommu-check-that-access_process_vm-has-a-valid-target
+++ a/mm/nommu.c
@@ -1206,3 +1206,50 @@ struct page *filemap_nopage(struct vm_ar
 	BUG();
 	return NULL;
 }
+
+/*
+ * Access another process' address space.
+ * - source/target buffer must be kernel space
+ */
+int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
+{
+	struct vm_list_struct *vml;
+	struct vm_area_struct *vma;
+	struct mm_struct *mm;
+
+	if (addr + len < addr)
+		return 0;
+
+	mm = get_task_mm(tsk);
+	if (!mm)
+		return 0;
+
+	down_read(&mm->mmap_sem);
+
+	/* the access must start within one of the target process's mappings */
+	for (vml = mm->context.vmlist; vml; vml = vml->next)
+		if (addr >= vml->vma->vm_start && addr < vml->vma->vm_end)
+			break;
+
+	if (vml) {
+		vma = vml->vma;
+
+		/* don't overrun this mapping */
+		if (addr + len >= vma->vm_end)
+			len = vma->vm_end - addr;
+
+		/* only read or write mappings where it is permitted */
+		if (write && vma->vm_flags & VM_WRITE)
+			len -= copy_to_user((void *) addr, buf, len);
+		else if (!write && vma->vm_flags & VM_READ)
+			len -= copy_from_user(buf, (void *) addr, len);
+		else
+			len = 0;
+	} else {
+		len = 0;
+	}
+
+	up_read(&mm->mmap_sem);
+	mmput(mm);
+	return len;
+}
_

Patches currently in -mm which might be from dhowells@xxxxxxxxxx are

git-gfs2.patch
git-nfs.patch
nfs-replace-null-dentries-that-appear-in-readdirs-list-2.patch
binfmt_elf-consistently-use-loff_t.patch
afs-add-lock-annotations-to-afs_proc_cell_servers_startstop.patch
elf_fdpic_core_dump-dont-take-tasklist_lock.patch
simplify-update_times-avoid-jiffies-jiffies_64-aliasing-problem-2.patch
lib-rwsemc-un-inline-rwsem_down_failed_common.patch
nommu-check-that-access_process_vm-has-a-valid-target.patch
reiserfs-make-sure-all-dentries-refs-are-released-before-calling-kill_block_super-try-2.patch
fs-cache-provide-a-filesystem-specific-syncable-page-bit.patch
fs-cache-generic-filesystem-caching-facility.patch
fs-cache-release-page-private-in-failed-readahead.patch
fs-cache-release-page-private-after-failed-readahead-12.patch
fs-cache-make-kafs-use-fs-cache.patch
fs-cache-make-kafs-use-fs-cache-fix.patch
fs-cache-make-kafs-use-fs-cache-12.patch
fs-cache-make-kafs-use-fs-cache-12-fix.patch
fs-cache-make-kafs-use-fs-cache-vs-streamline-generic_file_-interfaces-and-filemap.patch
nfs-use-local-caching.patch
nfs-use-local-caching-12.patch
nfs-use-local-caching-12-fix.patch
fs-cache-cachefiles-ia64-missing-copy_page-export.patch
fs-cache-cachefiles-a-cache-that-backs-onto-a-mounted-filesystem.patch
fs-cache-cachefiles-a-cache-that-backs-onto-a-mounted-filesystem-cachefiles-printk-format-warning.patch
fs-cache-cachefiles-a-cache-that-backs-onto-a-mounted-filesystem-warning-fixes.patch
autofs-make-sure-all-dentries-refs-are-released-before-calling-kill_anon_super.patch
vfs-destroy-the-dentries-contributed-by-a-superblock-on-unmounting.patch
vfs-make-filldir_t-and-struct-kstat-deal-in-64-bit-inode-numbers.patch
vfs-make-filldir_t-and-struct-kstat-deal-in-64-bit-inode-numbers-alpha-fix.patch
nfs-represent-64-bit-fileids-as-64-bit-inode-numbers-on-32-bit-systems.patch
ecryptfs-get_sb_dev-fix.patch
block-move-functions-out-of-buffer-code.patch
block-remove-duplicate-declaration-of-exit_io_context.patch
block-stop-fallback_migrate_page-from-using-page_has_buffers.patch
block-separate-the-bounce-buffering-code-from-the-highmem-code.patch
block-dont-call-block_sync_page-from-afs.patch
block-move-extern-declarations-out-of-fs-c-into-header-files.patch
block-move-extern-declarations-out-of-fs-c-into-header-files-tidy.patch
block-remove-dependence-on-existence-of-blockdev_superblock.patch
block-remove-dependence-on-existence-of-blockdev_superblock-tidy.patch
block-dissociate-generic_writepages-from-mpage-stuff.patch
block-move-__invalidate_device-to-block_devc.patch
block-move-the-loop-device-ioctl-compat-stuff-to-the-loop-driver.patch
block-move-common-fs-specific-ioctls-to-linux-fsh.patch
block-move-the-reiserfs-device-ioctl-compat-stuff-to-the-reiserfs-driver.patch
block-move-the-ext2-device-ioctl-compat-stuff-to-the-ext2-driver.patch
block-move-the-ext3-device-ioctl-compat-stuff-to-the-ext3-driver.patch
block-move-the-msdos-device-ioctl-compat-stuff-to-the-msdos-driver.patch
block-remove-no-longer-necessary-linux-mpageh-inclusions.patch
block-remove-no-longer-necessary-linux-buffer_headh-inclusions.patch
block-make-usb-storage-depend-on-scsi-rather-than-selecting-it.patch
block-make-it-possible-to-disable-the-block-layer.patch
block-make-it-possible-to-disable-the-block-layer-tidy.patch
block-make-it-possible-to-disable-the-block-layer-tidy-fix.patch
reiser4-get_sb_dev-fix.patch
mutex-subsystem-synchro-test-module.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




