Potential null pointer dereference in remap_vmalloc_range_partial()

[Dongyang Zhan <zdyzztq@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1660 bytes --]

Hi,

I am a security researcher. I found a potential bug in /mm/sparse.c. I
hope you can help me to confirm it.

In Linux 4.10.17, remap_vmalloc_range_partial() in /mm/vmalloc.c does
not check the validation of allocated memory 'page', which may cause a
null pointer dereference bug.

int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
				void *kaddr, unsigned long size)
{
...
                struct page *page = vmalloc_to_page(kaddr); //page is
possible to be null
		int ret;

		ret = vm_insert_page(vma, uaddr, page); //null pointer dereference of page
		if (ret)
			return ret;
...
}
Let us see vmalloc_to_page(kaddr) in /mm/vmalloc.c
struct page *vmalloc_to_page(const void *vmalloc_addr)
{
	unsigned long addr = (unsigned long) vmalloc_addr;
	struct page *page = NULL;
	pgd_t *pgd = pgd_offset_k(addr);

	/*
	 * XXX we might need to change this if we add VIRTUAL_BUG_ON for
	 * architectures that do not vmalloc module space
	 */
	VIRTUAL_BUG_ON(!is_vmalloc_or_module_addr(vmalloc_addr));

	if (!pgd_none(*pgd)) {
		...
	}
	return page;
}
We can find that page is possible to be NULL.
Then, we can see this function vm_insert_page(vma, uaddr, page) in /mm/memory.c.
int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
			struct page *page)
{
	if (addr < vma->vm_start || addr >= vma->vm_end)
		return -EFAULT;
	if (!page_count(page)) //this function can trigger the bug.
		return -EINVAL;
	...
}
page_count() can be found in /include/linux/page_ref.h.
static inline int page_count(struct page *page)
{
	return atomic_read(&compound_head(page)->_refcount);
}
Directly using the 'page' pointer is not secure.

[-- Attachment #2: Type: text/html, Size: 2398 bytes --]