The patch titled
Subject: proc/kcore: don't bounds check against address 0
has been added to the -mm tree. Its filename is
proc-kcore-dont-bounds-check-against-address-0.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/proc-kcore-dont-bounds-check-against-address-0.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/proc-kcore-dont-bounds-check-against-address-0.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Laura Abbott <labbott@xxxxxxxxxx>
Subject: proc/kcore: don't bounds check against address 0
The existing kcore code checks for bad addresses against __va(0) with the
assumption that this is the lowest address on the system. This may not
hold true on some systems (e.g. arm64) and produce overflows and crashes.
Switch to using other functions to validate the address range.
Link: http://lkml.kernel.org/r/20180501201143.15121-1-labbott@xxxxxxxxxx
Signed-off-by: Laura Abbott <labbott@xxxxxxxxxx>
Tested-by: Dave Anderson <anderson@xxxxxxxxxx>
Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Andi Kleen <andi@xxxxxxxxxxxxxx>
Cc: Alexey Dobriyan <adobriyan@xxxxxxxxx>a
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/proc/kcore.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff -puN fs/proc/kcore.c~proc-kcore-dont-bounds-check-against-address-0 fs/proc/kcore.c
--- a/fs/proc/kcore.c~proc-kcore-dont-bounds-check-against-address-0
+++ a/fs/proc/kcore.c
@@ -209,25 +209,34 @@ kclist_add_private(unsigned long pfn, un
{
struct list_head *head = (struct list_head *)arg;
struct kcore_list *ent;
+ struct page *p;
+
+ if (!pfn_valid(pfn))
+ return 1;
+
+ p = pfn_to_page(pfn);
+ if (!memmap_valid_within(pfn, p, page_zone(p)))
+ return 1;
ent = kmalloc(sizeof(*ent), GFP_KERNEL);
if (!ent)
return -ENOMEM;
- ent->addr = (unsigned long)__va((pfn << PAGE_SHIFT));
+ ent->addr = (unsigned long)page_to_virt(p);
ent->size = nr_pages << PAGE_SHIFT;
- /* Sanity check: Can happen in 32bit arch...maybe */
- if (ent->addr < (unsigned long) __va(0))
+ if (!virt_addr_valid(ent->addr))
goto free_out;
/* cut not-mapped area. ....from ppc-32 code. */
if (ULONG_MAX - ent->addr < ent->size)
ent->size = ULONG_MAX - ent->addr;
- /* cut when vmalloc() area is higher than direct-map area */
- if (VMALLOC_START > (unsigned long)__va(0)) {
- if (ent->addr > VMALLOC_START)
- goto free_out;
+ /*
+ * We've already checked virt_addr_valid so we know this address
+ * is a valid pointer, therefore we can check against it to determine
+ * if we need to trim
+ */
+ if (VMALLOC_START > ent->addr) {
if (VMALLOC_START - ent->addr < ent->size)
ent->size = VMALLOC_START - ent->addr;
}
_
Patches currently in -mm which might be from labbott@xxxxxxxxxx are
proc-kcore-dont-bounds-check-against-address-0.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
