github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
46eafd0f59
linux/fs/proc
History
Jann Horn d8da38eafa vmalloc: fix remap_vmalloc_range() bounds checks 
commit bdebd6a283 upstream.

remap_vmalloc_range() has had various issues with the bounds checks it
promises to perform ("This function checks that addr is a valid
vmalloc'ed area, and that it is big enough to cover the vma") over time,
e.g.:

 - not detecting pgoff<<PAGE_SHIFT overflow

 - not detecting (pgoff<<PAGE_SHIFT)+usize overflow

 - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same
   vmalloc allocation

 - comparing a potentially wildly out-of-bounds pointer with the end of
   the vmalloc region

In particular, since commit fc9702273e ("bpf: Add mmap() support for
BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer
dereferences by calling mmap() on a BPF map with a size that is bigger
than the distance from the start of the BPF map to the end of the
address space.

This could theoretically be used as a kernel ASLR bypass, by using
whether mmap() with a given offset oopses or returns an error code to
perform a binary search over the possible address range.

To allow remap_vmalloc_range_partial() to verify that addr and
addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset
to remap_vmalloc_range_partial() instead of adding it to the pointer in
remap_vmalloc_range().

In remap_vmalloc_range_partial(), fix the check against
get_vm_area_size() by using size comparisons instead of pointer
comparisons, and add checks for pgoff.

Fixes: 833423143c ("[PATCH] mm: introduce remap_vmalloc_range()")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@chromium.org>
Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-29 16:31:27 +02:00
..
array.c fs/proc/array.c: allow reporting eip/esp for all coredumping threads 2019-07-03 13:14:44 +02:00
base.c /proc/<pid>/cmdline: add back the setproctitle() special case 2019-08-04 09:30:56 +02:00
cmdline.c
consoles.c
cpuinfo.c
devices.c
fd.c
fd.h
generic.c proc: fix /proc/net/* after setns(2) 2019-03-13 14:02:32 -07:00
inode.c
internal.h proc: fix /proc/net/* after setns(2) 2019-03-13 14:02:32 -07:00
interrupts.c
Kconfig proc/kcore: add vmcoreinfo note to /proc/kcore 2018-08-22 10:52:46 -07:00
kcore.c x86/gart: Exclude GART aperture from kcore 2019-04-20 09:15:59 +02:00
kmsg.c
loadavg.c
Makefile
meminfo.c
namespaces.c
nommu.c
page.c fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c 2019-10-29 09:19:56 +01:00
proc_net.c proc: fix /proc/net/* after setns(2) 2019-03-13 14:02:32 -07:00
proc_sysctl.c fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes. 2019-07-26 09:14:24 +02:00
proc_tty.c
root.c
self.c
softirqs.c
stat.c
task_mmu.c mm, thp, proc: report THP eligibility for each vma 2019-12-17 20:35:45 +01:00
task_nommu.c proc: use down_read_killable mmap_sem for /proc/pid/maps 2019-07-31 07:27:09 +02:00
thread_self.c
uptime.c
util.c
version.c
vmcore.c vmalloc: fix remap_vmalloc_range() bounds checks 2020-04-29 16:31:27 +02:00