+ mm-prevent-mapping-slab-pages-to-userspace.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Mon, 28 Jan 2019 12:15:48 -0800

The patch titled
     Subject: mm: prevent mapping slab pages to userspace
has been added to the -mm tree.  Its filename is
     mm-prevent-mapping-slab-pages-to-userspace.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/mm-prevent-mapping-slab-pages-to-userspace.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/mm-prevent-mapping-slab-pages-to-userspace.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Matthew Wilcox <willy@xxxxxxxxxxxxx>
Subject: mm: prevent mapping slab pages to userspace

It's never appropriate to map a page allocated by SLAB into userspace.  A
buggy device driver might try this, or an attacker might be able to find a
way to make it happen.

Christoph said:

: Let's just fail the code.  Currently this may work with SLUB.  But SLAB
: and SLOB overlay fields with mapcount.  So you would have a corrupted page
: struct if you mapped a slab page to user space.

Link: http://lkml.kernel.org/r/20190125173827.2658-1-willy@xxxxxxxxxxxxx
Signed-off-by: Matthew Wilcox <willy@xxxxxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Rik van Riel <riel@xxxxxxxxxxx>
Cc: Christoph Lameter <cl@xxxxxxxxx>
Cc: Pekka Enberg <penberg@xxxxxxxxxx>
Cc: David Rientjes <rientjes@xxxxxxxxxx>
Cc: Joonsoo Kim <iamjoonsoo.kim@xxxxxxx>
Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 mm/memory.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/memory.c~mm-prevent-mapping-slab-pages-to-userspace
+++ a/mm/memory.c
@@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_st
 	spinlock_t *ptl;
 
 	retval = -EINVAL;
-	if (PageAnon(page))
+	if (PageAnon(page) || PageSlab(page))
 		goto out;
 	retval = -ENOMEM;
 	flush_dcache_page(page);
_

Patches currently in -mm which might be from willy@xxxxxxxxxxxxx are

mm-remove-sysctl_extfrag_handler.patch
mm-remove-redundant-test-from-find_get_pages_contig.patch
mm-prevent-mapping-slab-pages-to-userspace.patch







