Re: [PATCH] mm/vmalloc: Sanitize __get_vm_area() arguments

From: Uladzislau Rezki
Date: Sat Apr 04 2020 - 15:00:22 EST


On Fri, Apr 03, 2020 at 08:53:00PM +0200, Peter Zijlstra wrote:
> On Fri, Apr 03, 2020 at 08:18:18PM +0200, Uladzislau Rezki wrote:
> > On Fri, Apr 03, 2020 at 06:32:53PM +0200, Peter Zijlstra wrote:
> > >
> > > __get_vm_area() is an exported symbol, make sure the callers stay in
> > > the expected memory range. When calling this function with memory
> > > ranges outside of the VMALLOC range *bad* things can happen.
> > >
> > > (I noticed this when I managed to corrupt the kernel text by accident)
> > >
> > > Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> > > ---
> > > mm/vmalloc.c | 7 +++++++
> > > 1 file changed, 7 insertions(+)
> > >
> > > --- a/mm/vmalloc.c
> > > +++ b/mm/vmalloc.c
> > > @@ -2130,6 +2130,13 @@ static struct vm_struct *__get_vm_area_n
> > > struct vm_struct *__get_vm_area(unsigned long size, unsigned long flags,
> > > unsigned long start, unsigned long end)
> > > {
> > > + /*
> > > + * Ensure callers stay in the vmalloc range.
> > > + */
> > > + if (WARN_ON(start < VMALLOC_START || start > VMALLOC_END ||
> > > + end < VMALLOC_START || end > VMALLOC_END))
> > > + return NULL;
> > > +
> > > return __get_vm_area_node(size, 1, flags, start, end, NUMA_NO_NODE,
> > > GFP_KERNEL, __builtin_return_address(0));
> > > }
> > Peter, could you please clarify what kind of issues you had and how you
> > tested?
>
> Well, I had a bug and corrupted text; but then I tested:
>
> __get_vm_area(PAGE_SIZE, VM_ALLOC, __START_KERNEL_map,
> __START_KERNEL_map + KERNEL_IMAGE_SIZE);
>
> and that *works*.
>
Do you mean that you corrupted "text" by calling __get_vm_area(...)
with special parameters? If so could you please show how you used it.

> > __get_vm_area() is not limited by allocating only with vmalloc space,
> > it can use whole virtual address space/range, i.e. 1 - ULONG_MAX.
>
> Yeah, I know, I'm saying it perhaps should be, because not limiting it
> while exposing it to modules seems risky at best, downright dangerous if
> you consider map_vm_area() is also exported.
>
Doing it to secure modules, probably is OK, but modules can also be reside
within vmalloc address space.

Thank you in advance!

--
Vlad Rezki