lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 22 Aug 2011 15:25:05 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>
Cc:	linux-mm@...ck.org, linux-kernel@...r.kernel.org,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	yrl.pp-manager.tt@...achi.com,
	David Rientjes <rientjes@...gle.com>,
	Namhyung Kim <namhyung@...il.com>,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
	Jeremy Fitzhardinge <jeremy.fitzhardinge@...rix.com>
Subject: Re: [PATCH -v3] avoid null pointer access in vm_struct

On Sun, 21 Aug 2011 17:21:32 +0900
Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com> wrote:

> The /proc/vmallocinfo shows information about vmalloc allocations in vmlist
> that is a linklist of vm_struct. It, however, may access pages field of
> vm_struct where a page was not allocated. This results in a null pointer
> access and leads to a kernel panic.
> 
> Why this happen:
> In __vmalloc_node_range() called from vmalloc(), newly allocated vm_struct
> is added to vmlist at __get_vm_area_node() and then, some fields of
> vm_struct such as nr_pages and pages are set at __vmalloc_area_node(). In
> other words, it is added to vmlist before it is fully initialized. At the
> same time, when the /proc/vmallocinfo is read, it accesses the pages field
> of vm_struct according to the nr_pages field at show_numa_info(). Thus, a
> null pointer access happens.
> 
> Patch:
> This patch adds newly allocated vm_struct to the vmlist *after* it is fully
> initialized. So, it can avoid accessing the pages field with unallocated
> page when show_numa_info() is called.

Seems rather ugly, but I guess it's OK.  vmalloc() is "special" in that
it fills the area with allocated pages, whereas all the
get_vm_area()-type callers don't do that.

>
> ...
>
> @@ -1381,17 +1403,20 @@ struct vm_struct *remove_vm_area(const void *addr)
>  	va = find_vmap_area((unsigned long)addr);
>  	if (va && va->flags & VM_VM_AREA) {
>  		struct vm_struct *vm = va->private;
> -		struct vm_struct *tmp, **p;
> -		/*
> -		 * remove from list and disallow access to this vm_struct
> -		 * before unmap. (address range confliction is maintained by
> -		 * vmap.)
> -		 */
> -		write_lock(&vmlist_lock);
> -		for (p = &vmlist; (tmp = *p) != vm; p = &tmp->next)
> -			;
> -		*p = tmp->next;
> -		write_unlock(&vmlist_lock);
> +
> +		if (!(vm->flags & VM_UNLIST)) {
> +			struct vm_struct *tmp, **p;
> +			/*
> +			 * remove from list and disallow access to
> +			 * this vm_struct before unmap. (address range
> +			 * confliction is maintained by vmap.)
> +			 */
> +			write_lock(&vmlist_lock);
> +			for (p = &vmlist; (tmp = *p) != vm; p = &tmp->next)
> +				;
> +			*p = tmp->next;
> +			write_unlock(&vmlist_lock);
> +		}

Is this needed?  How can remove_vm_area() actually be called with a
VM_UNLIST area?


I think I'll let this patch cook in linux-next for a while and shall
tag it for backporting into 3.1.x later on.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ