Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial()

From: Roman Penyaev
Date: Fri Jan 04 2019 - 05:21:43 EST

Next message: Tetsuo Handa: "Re: [PATCH] tty/n_hdlc: fix sleep in !TASK_RUNNING state warning"
Previous message: Vitaly Chikunov: "Re: [RFC PATCH] akcipher: Introduce verify2 for public key algorithms"
In reply to: Michal Hocko: "Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial()"
Next in thread: Michal Hocko: "Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2019-01-04 10:38, Michal Hocko wrote:

[...]

>
> OK, my response was more confusing than I intended. I meant to say. Is
> there any in kernel code that would allow the bug have had in mind?
> In other words can userspace trick any existing code?

In theory any existing caller of remap_vmalloc_range() which does
not have an explicit size check should trigger an oops, e.g. this is
a good candidate:

*** drivers/media/usb/stkwebcam/stk-webcam.c:
v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer,
0);

Hmm, sbuf->buffer is allocated in stk_setup_siobuf to have
buf->v4lbuf.length. mmap callback maps this buffer to the vma size and
that is indeed not enforced to be <= length AFAICS. So you are right!

Can we have an example in the changelog please?

You mean to resend this particular patch with the list of possible
candidates for oops in a comment message? Sure thing.

--
Roman

Next message: Tetsuo Handa: "Re: [PATCH] tty/n_hdlc: fix sleep in !TASK_RUNNING state warning"
Previous message: Vitaly Chikunov: "Re: [RFC PATCH] akcipher: Introduce verify2 for public key algorithms"
In reply to: Michal Hocko: "Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial()"
Next in thread: Michal Hocko: "Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]