From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=4+f/=6R=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: **
X-Spam-Status: No, score=2.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5A02EC28CBC
	for <linux-mm@archiver.kernel.org>; Sun,  3 May 2020 06:03:34 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0134620643
	for <linux-mm@archiver.kernel.org>; Sun,  3 May 2020 06:03:33 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CGvy6zYb"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0134620643
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id A005F8E0005; Sun,  3 May 2020 02:03:33 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9B0B38E0001; Sun,  3 May 2020 02:03:33 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8C70D8E0005; Sun,  3 May 2020 02:03:33 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0214.hostedemail.com [216.40.44.214])
	by kanga.kvack.org (Postfix) with ESMTP id 74CF58E0001
	for <linux-mm@kvack.org>; Sun,  3 May 2020 02:03:33 -0400 (EDT)
Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 214D7180AD804
	for <linux-mm@kvack.org>; Sun,  3 May 2020 06:03:33 +0000 (UTC)
X-FDA: 76774365906.30.brake35_76497acfc1950
X-HE-Tag: brake35_76497acfc1950
X-Filterd-Recvd-Size: 6768
Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174])
	by imf48.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Sun,  3 May 2020 06:03:32 +0000 (UTC)
Received: by mail-il1-f174.google.com with SMTP id r2so8270299ilo.6
        for <linux-mm@kvack.org>; Sat, 02 May 2020 23:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=jzFHbJ5Q96YrL1rtP8vSrBr3wyjkO3SMzQ24wcFGDkk=;
        b=CGvy6zYbvjhFrHOnfjodFsVymzYaP+jjwKxwtbe9vBUVX6Ukon4dFNmTu6xNy4sfi6
         bwY4HLFWprhlvh/2ue/mHVub3wBgMlLrEcSLPYHtYQ2XFZUs6TERfDbXovf3yQU1paAa
         emu8FmwSTbp/kXnT7SnvZ5ffr7jxNgodRhNje7+N4FyJYi/JW8E0fK305Xkg89KYXrcd
         noje1/Tvg13vTJmshWjHMxirsY7TwHEPDqP/a2/UDPHm7bzRIx8fOalHqrKdkjbxGgoZ
         BUDKtFSqkqM23oT0R/+0iStqxzheCv+h82FsOaTZCvi6KOJQUybBmsHEx9MXQB//38H+
         8lpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=jzFHbJ5Q96YrL1rtP8vSrBr3wyjkO3SMzQ24wcFGDkk=;
        b=nFiaFhQz9FulmguDgmCLaWYBclhlavTfQOYvisPtMYz95krlCfZqw/Ff1fLV4UKtMS
         4PyhE4ZI2lBe9/OKUx4r56AiMIOYH6f/rdq6h/IndanmcJ6+Hx3GDqIFu5biVZ80U0l0
         VHTFUZ5+bY+V+A1jYOwunXbw6SJlg602iERtlobB4JWjOtF9ZC58AUCRd8fitM2WPlrD
         rY2nCnIXbZzC2pfaQBf+3VJnsYUXyZ1O4WVkruv9RPT26Hh4Mg/vC6sQrFqDw4G0iuCU
         ej+bPMsJDu8FYclnkdypAx485T/he+DGx3FRwo1rqcyOdtcac/+0bkCgo+AgOIwjan7U
         6mIg==
X-Gm-Message-State: AGi0PubNGI2RlZwS7KsbUdS1IwXwi7Bo2hHpywezyQnINZ7ylga+AzyW
	gU1/UfRQvxuuNjDAaqlMaXjsHTWBMFZk9accDWr70Ds8
X-Google-Smtp-Source: APiQypIJggl/40sbN5fandh5mJd0hHZpAQo8JxhOnhojsc5Dq9RN2+D3kPBSl0QfbSiq30da73knX/DXJmiMk2uyyas=
X-Received: by 2002:a05:6e02:dcf:: with SMTP id l15mr11083013ilj.225.1588485812068;
 Sat, 02 May 2020 23:03:32 -0700 (PDT)
MIME-Version: 1.0
From: Dongyang Zhan <zdyzztq@gmail.com>
Date: Sun, 3 May 2020 14:03:21 +0800
Message-ID: <CAFSR4csW7y=dCh+Xe2rJW7toy148dw3N3Dpq2Pb=VLyCUhcBaw@mail.gmail.com>
Subject: Potential null pointer dereference in remap_vmalloc_range_partial()
To: linux-mm@kvack.org
Content-Type: multipart/alternative; boundary="0000000000008f271105a4b82cbe"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

--0000000000008f271105a4b82cbe
Content-Type: text/plain; charset="UTF-8"

Hi,

I am a security researcher. I found a potential bug in /mm/sparse.c. I
hope you can help me to confirm it.

In Linux 4.10.17, remap_vmalloc_range_partial() in /mm/vmalloc.c does
not check the validation of allocated memory 'page', which may cause a
null pointer dereference bug.

int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
				void *kaddr, unsigned long size)
{
...
                struct page *page = vmalloc_to_page(kaddr); //page is
possible to be null
		int ret;

		ret = vm_insert_page(vma, uaddr, page); //null pointer dereference of page
		if (ret)
			return ret;
...
}
Let us see vmalloc_to_page(kaddr) in /mm/vmalloc.c
struct page *vmalloc_to_page(const void *vmalloc_addr)
{
	unsigned long addr = (unsigned long) vmalloc_addr;
	struct page *page = NULL;
	pgd_t *pgd = pgd_offset_k(addr);

	/*
	 * XXX we might need to change this if we add VIRTUAL_BUG_ON for
	 * architectures that do not vmalloc module space
	 */
	VIRTUAL_BUG_ON(!is_vmalloc_or_module_addr(vmalloc_addr));

	if (!pgd_none(*pgd)) {
		...
	}
	return page;
}
We can find that page is possible to be NULL.
Then, we can see this function vm_insert_page(vma, uaddr, page) in /mm/memory.c.
int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
			struct page *page)
{
	if (addr < vma->vm_start || addr >= vma->vm_end)
		return -EFAULT;
	if (!page_count(page)) //this function can trigger the bug.
		return -EINVAL;
	...
}
page_count() can be found in /include/linux/page_ref.h.
static inline int page_count(struct page *page)
{
	return atomic_read(&compound_head(page)->_refcount);
}
Directly using the 'page' pointer is not secure.

--0000000000008f271105a4b82cbe
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><pre id=3D"gmail-m_-7810375000073948968gmail-comment_text_=
0" style=3D"white-space:pre-wrap;font-size:medium;width:50em;color:rgb(0,0,=
0)">Hi,</pre><pre id=3D"gmail-m_-7810375000073948968gmail-comment_text_0" s=
tyle=3D"white-space:pre-wrap;font-size:medium;width:50em;color:rgb(0,0,0)">=
I am a security researcher. I found a potential bug in /mm/sparse.c. I hope=
 you can help me to confirm it.</pre><pre id=3D"gmail-m_-781037500007394896=
8gmail-comment_text_0" style=3D"white-space:pre-wrap;font-size:medium;width=
:50em;color:rgb(0,0,0)"><pre class=3D"gmail-bz_comment_text" id=3D"gmail-co=
mment_text_0" style=3D"width:50em;white-space:pre-wrap">In Linux 4.10.17, r=
emap_vmalloc_range_partial() in /mm/vmalloc.c does not check the validation=
 of allocated memory &#39;page&#39;, which may cause a null pointer derefer=
ence bug.
<br></pre><pre class=3D"gmail-bz_comment_text" id=3D"gmail-comment_text_0" =
style=3D"width:50em;white-space:pre-wrap">int remap_vmalloc_range_partial(s=
truct vm_area_struct *vma, unsigned long uaddr,
				void *kaddr, unsigned long size)
{
...
                struct page *page =3D vmalloc_to_page(kaddr); //page is pos=
sible to be null
		int ret;

		ret =3D vm_insert_page(vma, uaddr, page); //null pointer dereference of p=
age
		if (ret)
			return ret;
...
}
Let us see vmalloc_to_page(kaddr) in /mm/vmalloc.c
struct page *vmalloc_to_page(const void *vmalloc_addr)
{
	unsigned long addr =3D (unsigned long) vmalloc_addr;
	struct page *page =3D NULL;
	pgd_t *pgd =3D pgd_offset_k(addr);

	/*
	 * XXX we might need to change this if we add VIRTUAL_BUG_ON for
	 * architectures that do not vmalloc module space
	 */
	VIRTUAL_BUG_ON(!is_vmalloc_or_module_addr(vmalloc_addr));

	if (!pgd_none(*pgd)) {
		...
	}
	return page;
}
We can find that page is possible to be NULL.
Then, we can see this function vm_insert_page(vma, uaddr, page) in /mm/memo=
ry.c.
int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
			struct page *page)
{
	if (addr &lt; vma-&gt;vm_start || addr &gt;=3D vma-&gt;vm_end)
		return -EFAULT;
	if (!page_count(page)) //this function can trigger the bug.
		return -EINVAL;
	...
}
page_count() can be found in /include/linux/page_ref.h.
static inline int page_count(struct page *page)
{
	return atomic_read(&amp;compound_head(page)-&gt;_refcount);
}
Directly using the &#39;page&#39; pointer is not secure.</pre>

</pre></div>

--0000000000008f271105a4b82cbe--