From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4263CC433EF for ; Fri, 17 Dec 2021 13:07:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A5A8A6B0071; Fri, 17 Dec 2021 08:07:30 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A099F6B0072; Fri, 17 Dec 2021 08:07:30 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8D1106B0073; Fri, 17 Dec 2021 08:07:30 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0007.hostedemail.com [216.40.44.7]) by kanga.kvack.org (Postfix) with ESMTP id 7F54F6B0071 for ; Fri, 17 Dec 2021 08:07:30 -0500 (EST) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 3AC288954F for ; Fri, 17 Dec 2021 13:07:20 +0000 (UTC) X-FDA: 78927312240.09.1B842F7 Received: from mail-ua1-f41.google.com (mail-ua1-f41.google.com [209.85.222.41]) by imf17.hostedemail.com (Postfix) with ESMTP id 301EC4000D for ; Fri, 17 Dec 2021 13:07:12 +0000 (UTC) Received: by mail-ua1-f41.google.com with SMTP id u40so4241731uad.1 for ; Fri, 17 Dec 2021 05:07:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WyqG449HouzDrScaDmK4P0UvJlEZr892cvhoYjqoY2E=; b=hvGxrBVo4h1TtoF26FhhGuoXXzZPdyShcCUytRzlM0Plw/HIyV9EWBK9uuEcCUBaiA FjSfTgV5upRko9I/ISHfWOBIEZn/7Bj4xRj3+Uk61XJYehFUldayfuLrW1vzSwNBJ1mb aLrCzQFvchmaEFjJ/+lqwZoxMEput4J49+4bz3biqvjrTiCa8r0mucECwYnH3S0HFWgg Jfai72cAdPDr17AvYdISwKUUeWv9xyWTPGb0yVWHWV9zqb5p9cYB9esRs/z+DT+9bVHU g7M4eYBe3Wph3hx5iaIC3C9TQX0bXpYVQ8jfX9MwG20INdBHiOrvWr+n6v49NIZVs5Hm DFug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WyqG449HouzDrScaDmK4P0UvJlEZr892cvhoYjqoY2E=; b=2etzdFFsk42OMV/Ty2aeFhy9qzmFOJrad5CerkcdKwoUnTHgl7EyBuZhloavs7nM0u yg8nltDp2TPbrspGaYIfFbmFSfEcYfxjM7822EFqfsFQlVkyvzC7pYoVtGXd9OPfCXw+ VyJvki7halTBf4wv9MSO3W7cMlIeY373DVAB/zh9xliduvuIabt+ZKw2YL7f2vF7guun V0MH/2pLuwFjrmxnmnhRarBznu1SlVzvczZfKs8KKoKHmFgj4QJmtPXgRriC1aVntX5B d0yieOdF/FBoWJQ5F+l+sLZkwu38Ga7nycuWtL4YHeacmKInui64KPtV81ZJ7xOXOquw 79KA== X-Gm-Message-State: AOAM5307UbPu59kLvHr4k36/XRdbDWUnggBWM0e93LwtL0xqZZXgU5j9 8+M0EHtva28aKY7xdtA6dCHQUWA405Q59CEFG58= X-Google-Smtp-Source: ABdhPJxNr69laEuDs+e3NnuABtF1GjS2Z66JFSpWl632oLphdf/8tC8oOYcybPOSrok5yqD2RzqH6uIgEkl6lkc0XxI= X-Received: by 2002:a05:6102:1613:: with SMTP id cu19mr852254vsb.25.1639746438811; Fri, 17 Dec 2021 05:07:18 -0800 (PST) MIME-Version: 1.0 References: <20211216215351.3811471-1-willy@infradead.org> <20211216215351.3811471-3-willy@infradead.org> In-Reply-To: <20211216215351.3811471-3-willy@infradead.org> From: Mark Hemment Date: Fri, 17 Dec 2021 13:07:07 +0000 Message-ID: Subject: Re: [PATCH v4 2/4] mm/usercopy: Detect vmalloc overruns To: "Matthew Wilcox (Oracle)" Cc: Kees Cook , linux-mm@kvack.org, linux-hardening@vger.kernel.org, William Kucharski Content-Type: text/plain; charset="UTF-8" Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=googlemail.com header.s=20210112 header.b=hvGxrBVo; spf=pass (imf17.hostedemail.com: domain of markhemm@googlemail.com designates 209.85.222.41 as permitted sender) smtp.mailfrom=markhemm@googlemail.com; dmarc=pass (policy=quarantine) header.from=googlemail.com X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 301EC4000D X-Stat-Signature: isydiy6jxu7s43xk6g1tjub4wg1x8jfm X-HE-Tag: 1639746432-870478 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000017, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, 16 Dec 2021 at 21:55, Matthew Wilcox (Oracle) wrote: > > If you have a vmalloc() allocation, or an address from calling vmap(), > you cannot overrun the vm_area which describes it, regardless of the > size of the underlying allocation. This probably doesn't do much for > security because vmalloc comes with guard pages these days, but it > prevents usercopy aborts when copying to a vmap() of smaller pages. ... > + offset = ptr - vm->addr; > + if (offset + n > vm->size) > + usercopy_abort("vmalloc", NULL, to_user, offset, n); > + return; > + } Instead of vm->size, call get_vm_area_size() so any guard page is trimmed from the length. Mark