Re: [PATCH 1/2] MIPS: Bounds check virt_addr_valid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Paul Burton wrote:
> The virt_addr_valid() function is meant to return true iff
> virt_to_page() will return a valid struct page reference. This is true
> iff the address provided is found within the unmapped address range
> between PAGE_OFFSET & MAP_BASE, but we don't currently check for that
> condition. Instead we simply mask the address to obtain what will be a
> physical address if the virtual address is indeed in the desired range,
> shift it to form a PFN & then call pfn_valid(). This can incorrectly
> return true if called with a virtual address which, after masking,
> happens to form a physical address corresponding to a valid PFN.
> 
> For example we may vmalloc an address in the kernel mapped region
> starting a MAP_BASE & obtain the virtual address:
> 
> addr = 0xc000000000002000
> 
> When masked by virt_to_phys(), which uses __pa() & in turn CPHYSADDR(),
> we obtain the following (bogus) physical address:
> 
> addr = 0x2000
> 
> In a common system with PHYS_OFFSET=0 this will correspond to a valid
> struct page which should really be accessed by virtual address
> PAGE_OFFSET+0x2000, causing virt_addr_valid() to incorrectly return 1
> indicating that the original address corresponds to a struct page.
> 
> This is equivalent to the ARM64 change made in commit ca219452c6b8
> ("arm64: Correctly bounds check virt_addr_valid").
> 
> This fixes fallout when hardened usercopy is enabled caused by the
> related commit 517e1fbeb65f ("mm/usercopy: Drop extra
> is_vmalloc_or_module() check") which removed a check for the vmalloc
> range that was present from the introduction of the hardened usercopy
> feature.
> 
> Signed-off-by: Paul Burton <paul.burton@xxxxxxxx>
> References: ca219452c6b8 ("arm64: Correctly bounds check virt_addr_valid")
> References: 517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check")
> Reported-by: Julien Cristau <jcristau@xxxxxxxxxx>
> Tested-by: YunQiang Su <ysu@xxxxxxxxxxxx>
> URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929366
> Cc: stable@xxxxxxxxxxxxxxx # v4.12+
> Reviewed-by: Philippe Mathieu-Daudé <f4bug@xxxxxxxxx>

Series applied to mips-fixes.

Thanks,
    Paul

[ This message was auto-generated; if you believe anything is incorrect
  then please email paul.burton@xxxxxxxx to report it. ]
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux