1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-24 17:23:25 -05:00
linux/samples
Jann Horn bdebd6a283 vmalloc: fix remap_vmalloc_range() bounds checks
remap_vmalloc_range() has had various issues with the bounds checks it
promises to perform ("This function checks that addr is a valid
vmalloc'ed area, and that it is big enough to cover the vma") over time,
e.g.:

 - not detecting pgoff<<PAGE_SHIFT overflow

 - not detecting (pgoff<<PAGE_SHIFT)+usize overflow

 - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same
   vmalloc allocation

 - comparing a potentially wildly out-of-bounds pointer with the end of
   the vmalloc region

In particular, since commit fc9702273e ("bpf: Add mmap() support for
BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer
dereferences by calling mmap() on a BPF map with a size that is bigger
than the distance from the start of the BPF map to the end of the
address space.

This could theoretically be used as a kernel ASLR bypass, by using
whether mmap() with a given offset oopses or returns an error code to
perform a binary search over the possible address range.

To allow remap_vmalloc_range_partial() to verify that addr and
addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset
to remap_vmalloc_range_partial() instead of adding it to the pointer in
remap_vmalloc_range().

In remap_vmalloc_range_partial(), fix the check against
get_vm_area_size() by using size comparisons instead of pointer
comparisons, and add checks for pgoff.

Fixes: 833423143c ("[PATCH] mm: introduce remap_vmalloc_range()")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@chromium.org>
Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-04-21 11:11:56 -07:00
..
auxdisplay .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
binderfs
bpf SPDX patches for 5.7-rc1. 2020-04-03 13:12:26 -07:00
configfs
connector .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
ftrace
hidraw .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
hw_breakpoint samples/hw_breakpoint: drop use of kallsyms_lookup_name() 2020-04-07 10:43:44 -07:00
kdb
kfifo proc: convert everything to "struct proc_ops" 2020-02-04 03:05:26 +00:00
kobject
kprobes
livepatch
mei .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
mic/mpssd .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
pidfd .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
pktgen
qmi
rpmsg
seccomp .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
timers .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
trace_events
trace_printk
uhid kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
v4l media: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:52:39 +01:00
vfio-mdev vmalloc: fix remap_vmalloc_range() bounds checks 2020-04-21 11:11:56 -07:00
vfs .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
watchdog .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
Kconfig
Makefile