Re: [PATCH] mm/vmalloc: Sanitize __get_vm_area() arguments

From: Peter Zijlstra
Date: Fri Apr 03 2020 - 14:53:15 EST


On Fri, Apr 03, 2020 at 08:18:18PM +0200, Uladzislau Rezki wrote:
> On Fri, Apr 03, 2020 at 06:32:53PM +0200, Peter Zijlstra wrote:
> >
> > __get_vm_area() is an exported symbol, make sure the callers stay in
> > the expected memory range. When calling this function with memory
> > ranges outside of the VMALLOC range *bad* things can happen.
> >
> > (I noticed this when I managed to corrupt the kernel text by accident)
> >
> > Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> > ---
> > mm/vmalloc.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > --- a/mm/vmalloc.c
> > +++ b/mm/vmalloc.c
> > @@ -2130,6 +2130,13 @@ static struct vm_struct *__get_vm_area_n
> > struct vm_struct *__get_vm_area(unsigned long size, unsigned long flags,
> > unsigned long start, unsigned long end)
> > {
> > + /*
> > + * Ensure callers stay in the vmalloc range.
> > + */
> > + if (WARN_ON(start < VMALLOC_START || start > VMALLOC_END ||
> > + end < VMALLOC_START || end > VMALLOC_END))
> > + return NULL;
> > +
> > return __get_vm_area_node(size, 1, flags, start, end, NUMA_NO_NODE,
> > GFP_KERNEL, __builtin_return_address(0));
> > }
> Peter, could you please clarify what kind of issues you had and how you
> tested?

Well, I had a bug and corrupted text; but then I tested:

__get_vm_area(PAGE_SIZE, VM_ALLOC, __START_KERNEL_map,
__START_KERNEL_map + KERNEL_IMAGE_SIZE);

and that *works*.

> __get_vm_area() is not limited by allocating only with vmalloc space,
> it can use whole virtual address space/range, i.e. 1 - ULONG_MAX.

Yeah, I know, I'm saying it perhaps should be, because not limiting it
while exposing it to modules seems risky at best, downright dangerous if
you consider map_vm_area() is also exported.

And while I know the machinery works for the complete virtual address
space, architectures do set aside explicit VA ranges for specific
purposes, we had better respect that, esp. for modules.