| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yqdpc336QsmVr1Tp@casper.infradead.org>
Date: Mon, 13 Jun 2022 17:44:35 +0100
From: Matthew Wilcox <willy@...radead.org>
To: Kees Cook <keescook@...omium.org>
Cc: linux-mm@...ck.org, Uladzislau Rezki <urezki@...il.com>,
Zorro Lang <zlang@...hat.com>, linux-xfs@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH 1/3] usercopy: Handle vm_map_ram() areas
On Mon, Jun 13, 2022 at 09:23:15AM -0700, Kees Cook wrote:
> On Sun, Jun 12, 2022 at 10:32:25PM +0100, Matthew Wilcox (Oracle) wrote:
> > vmalloc does not allocate a vm_struct for vm_map_ram() areas. That causes
> > us to deny usercopies from those areas. This affects XFS which uses
> > vm_map_ram() for its directories.
> >
> > Fix this by calling find_vmap_area() instead of find_vm_area().
>
> Thanks for the fixes!
>
> > [...]
> > + /* XXX: We should also abort for free vmap_areas */
>
> What's needed to detect this?
I'm not entirely sure. I only just learned of the existence of this
struct ;-)
/*
* The following two variables can be packed, because
* a vmap_area object can be either:
* 1) in "free" tree (root is free_vmap_area_root)
* 2) or "busy" tree (root is vmap_area_root)
*/
union {
unsigned long subtree_max_size; /* in "free" tree */
struct vm_struct *vm; /* in "busy" tree */
};
Hmm. Actually, we only search vmap_area_root, so I suppose it can't
be a free area. So this XXX can be removed, as we'll get NULL back
if we've got a pointer to a free area. Ulad, do I have this right?
Powered by blists - more mailing lists