| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Feb 2011 13:01:50 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Jesper Juhl <jj@...osbits.net>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org, linux-mm@...ck.org,
Tejun Heo <tj@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
Ingo Molnar <mingo@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Rohit Seth <rohit.seth@...el.com>
Subject: Re: [PATCH] Huge TLB: Potential NULL deref in
arch/x86/mm/hugetlbpage.c:huge_pmd_share()
On Thu, 3 Feb 2011 21:50:04 +0100 (CET)
Jesper Juhl <jj@...osbits.net> wrote:
> In arch/x86/mm/hugetlbpage.c:huge_pmd_share() we call find_vma(mm, addr)
> and then subsequently dereference the pointer returned without checking if
> it was NULL. I can't find anything that guarantees that find_vma() will
> never return NULL in this case, so I believe there's a genuine bug.
> However, I'd greatly appreciate it if someone would take the time to
> double check me.
> This patch implements what I believe to be the correct handling of a NULL
> return from find_vma(). Please consider for inclusion.
>
> Signed-off-by: Jesper Juhl <jj@...osbits.net>
> ---
> hugetlbpage.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
> index 069ce7c..0ebd3d0 100644
> --- a/arch/x86/mm/hugetlbpage.c
> +++ b/arch/x86/mm/hugetlbpage.c
> @@ -61,14 +61,19 @@ static int vma_shareable(struct vm_area_struct *vma, unsigned long addr)
> static void huge_pmd_share(struct mm_struct *mm, unsigned long addr, pud_t *pud)
> {
> struct vm_area_struct *vma = find_vma(mm, addr);
> - struct address_space *mapping = vma->vm_file->f_mapping;
> - pgoff_t idx = ((addr - vma->vm_start) >> PAGE_SHIFT) +
> - vma->vm_pgoff;
> + struct address_space *mapping;
> + pgoff_t idx;
> struct prio_tree_iter iter;
> struct vm_area_struct *svma;
> unsigned long saddr;
> pte_t *spte = NULL;
>
> + if (!vma)
> + return;
> +
> + mapping = vma->vm_file->f_mapping;
> + idx = ((addr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
> +
> if (!vma_shareable(vma, addr))
> return;
mmap_sem is held and the caller (copy_hugetlb_page_range) knows that
the virtual address at `addr' is within a vma. So it's a "can't happen".
The code's all undocumented and you got fooled. Cause, effect.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists