From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F347C433EF for ; Wed, 6 Oct 2021 01:27:28 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B765C61042 for ; Wed, 6 Oct 2021 01:27:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B765C61042 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 971DE6B006C; Tue, 5 Oct 2021 21:27:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 921986B0071; Tue, 5 Oct 2021 21:27:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8114D900002; Tue, 5 Oct 2021 21:27:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0234.hostedemail.com [216.40.44.234]) by kanga.kvack.org (Postfix) with ESMTP id 726F06B006C for ; Tue, 5 Oct 2021 21:27:22 -0400 (EDT) Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 0E1DA183C03F7 for ; Wed, 6 Oct 2021 01:27:22 +0000 (UTC) X-FDA: 78664274724.06.B478901 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf05.hostedemail.com (Postfix) with ESMTP id 676A6507372F for ; Wed, 6 Oct 2021 01:27:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=IMCQUc+cJhNONcd1Z9ll4N8k2VbG90B5TOPzFmgjmMg=; b=m4nDdAeGFCAwD2l2sTJfPPi3W/ HLK4OjQIGtqfn5Ry/wykPZ7lI2tz4tIxlyHAKfnsb++bbkFCFqB+vdFnqIY6LRMR8V20+lKtWfzAW fV//1UIM2Bq4NPwnXlgxW39lEGjfYjqfb2dJqEXKK+6k9O+29Cb+bJp/5Q/gXNZT9tal8PxCFxeWu b4T4TMADEpqLUtHR9EAKtSdU4wbAnKNPbUhr4jU1CHbqAflAbUB6nZRrEFQYCVkEfRcib4Ym/yyYn MNkw9luWrgjtlFM6Qyy+I0eXN1gywziR2EoEuwjtDMjHyNqJq6Bm+ZroRO48lQLkBndNlCT8Z/wNI Y/bNYwgw==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mXvhh-000RZf-IT; Wed, 06 Oct 2021 01:26:53 +0000 Date: Wed, 6 Oct 2021 02:26:41 +0100 From: Matthew Wilcox To: Kees Cook Cc: linux-mm@kvack.org, Thomas Gleixner Subject: Re: [PATCH 2/3] mm/usercopy: Detect vmalloc overruns Message-ID: References: <20211004224224.4137992-1-willy@infradead.org> <20211004224224.4137992-3-willy@infradead.org> <202110051423.9F6F93752@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202110051423.9F6F93752@keescook> X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 676A6507372F X-Stat-Signature: 8y19wd6tan1km8io5dcpcchqcp83pttd Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=m4nDdAeG; dmarc=none; spf=none (imf05.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org X-HE-Tag: 1633483641-532661 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Oct 05, 2021 at 02:25:23PM -0700, Kees Cook wrote: > On Mon, Oct 04, 2021 at 11:42:22PM +0100, Matthew Wilcox (Oracle) wrote: > > If you have a vmalloc() allocation, or an address from calling vmap(), > > you cannot overrun the vm_area which describes it, regardless of the > > size of the underlying allocation. This probably doesn't do much for > > security because vmalloc comes with guard pages these days, but it > > prevents usercopy aborts when copying to a vmap() of smaller pages. > > > > Signed-off-by: Matthew Wilcox (Oracle) > > --- > > mm/usercopy.c | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/mm/usercopy.c b/mm/usercopy.c > > index ac95b22fbbce..7bfc4f9ed1e4 100644 > > --- a/mm/usercopy.c > > +++ b/mm/usercopy.c > > @@ -17,6 +17,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -236,6 +237,14 @@ static inline void check_heap_object(const void *ptr, unsigned long n, > > return; > > } > > > > + if (is_vmalloc_addr(ptr)) { > > + struct vm_struct *vm = find_vm_area(ptr); > > + > > + if (ptr + n > vm->addr + vm->size) > > + usercopy_abort("vmalloc", NULL, to_user, 0, n); > > This "0" is easy to make "ptr - vm->addr". With that fixed: > > Acked-by: Kees Cook Looking at this again, if we do ... char *p = vmalloc(2 * PAGE_SIZE); copy_from_user(p + 2 * PAGE_SIZE, ...); then 'vm' can be NULL. I think. While we can't catch everything, a NULL pointer dereference here seems a little unfriendly? So how about this: if (is_vmalloc_addr(ptr)) { struct vm_struct *vm = find_vm_area(ptr); unsigned long offset; if (!vm) { usercopy_abort("vmalloc", NULL, to_user, 0, n); return; } offset = ptr - vm->addr; if (offset + n > vm->size) usercopy_abort("vmalloc", NULL, to_user, offset, n); return; } Do we want to distinguish the two cases somehow?