Re: [PATCH] mm/vmalloc: Sanitize __get_vm_area() arguments

From: Uladzislau Rezki
Date: Fri Apr 03 2020 - 14:18:30 EST


On Fri, Apr 03, 2020 at 06:32:53PM +0200, Peter Zijlstra wrote:
>
> __get_vm_area() is an exported symbol, make sure the callers stay in
> the expected memory range. When calling this function with memory
> ranges outside of the VMALLOC range *bad* things can happen.
>
> (I noticed this when I managed to corrupt the kernel text by accident)
>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> ---
> mm/vmalloc.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -2130,6 +2130,13 @@ static struct vm_struct *__get_vm_area_n
> struct vm_struct *__get_vm_area(unsigned long size, unsigned long flags,
> unsigned long start, unsigned long end)
> {
> + /*
> + * Ensure callers stay in the vmalloc range.
> + */
> + if (WARN_ON(start < VMALLOC_START || start > VMALLOC_END ||
> + end < VMALLOC_START || end > VMALLOC_END))
> + return NULL;
> +
> return __get_vm_area_node(size, 1, flags, start, end, NUMA_NO_NODE,
> GFP_KERNEL, __builtin_return_address(0));
> }
Peter, could you please clarify what kind of issues you had and how you
tested?

__get_vm_area() is not limited by allocating only with vmalloc space,
it can use whole virtual address space/range, i.e. 1 - ULONG_MAX.

Though, i am not sure if there are users(who uses __get_vm_area())
which allocate outside of vmalloc address space.

--
Vlad Rezki