On Fri, Aug 16, 2019 at 11:24:08AM -0700, Kees Cook wrote: > From: Prasad Sodagudi <psodagud@xxxxxxxxxxxxxx> > > commit 951531691c4bcaa59f56a316e018bc2ff1ddf855 upstream. > > Currently, when checking to see if accessing n bytes starting at address > "ptr" will cause a wraparound in the memory addresses, the check in > check_bogus_address() adds an extra byte, which is incorrect, as the > range of addresses that will be accessed is [ptr, ptr + (n - 1)]. > > This can lead to incorrectly detecting a wraparound in the memory > address, when trying to read 4 KB from memory that is mapped to the the > last possible page in the virtual address space, when in fact, accessing > that range of memory would not cause a wraparound to occur. > > Use the memory range that will actually be accessed when considering if > accessing a certain amount of bytes will cause the memory address to > wrap around. > > Link: http://lkml.kernel.org/r/1564509253-23287-1-git-send-email-isaacm@xxxxxxxxxxxxxx > Fixes: f5509cc18daa ("mm: Hardened usercopy") > Signed-off-by: Prasad Sodagudi <psodagud@xxxxxxxxxxxxxx> > Signed-off-by: Isaac J. Manjarres <isaacm@xxxxxxxxxxxxxx> > Co-developed-by: Prasad Sodagudi <psodagud@xxxxxxxxxxxxxx> > Reviewed-by: William Kucharski <william.kucharski@xxxxxxxxxx> > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Cc: Trilok Soni <tsoni@xxxxxxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > [kees: backport to v4.14] > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> This and the 4.9 patch now queued up, thanks for the backports. greg k-h
