| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Apr 2012 12:01:52 -0700 (PDT)
From: Hugh Dickins <hughd@...gle.com>
To: Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>
cc: Andrew Morton <akpm@...ux-foundation.org>,
Tejun Heo <tj@...nel.org>, Oleg Nesterov <oleg@...hat.com>,
Jens Axboe <axboe@...nel.dk>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH] Fix overflow in vma length when copying mmap on clone
On Tue, 24 Apr 2012, Siddhesh Poyarekar wrote:
> The vma length in dup_mmap is calculated and stored in a unsigned int,
> which is insufficient and hence overflows for very large maps (beyond
> 16TB). The following program demonstrates this:
>
> \#include <stdio.h>
> \#include <unistd.h>
> \#include <sys/mman.h>
>
> \#define GIG 1024 * 1024 * 1024L
> \#define EXTENT 16393
>
> int main(void)
> {
> int i, r;
> void *m;
> char buf[1024];
>
> for (i = 0; i < EXTENT; i++) {
> m = mmap(NULL, (size_t) 1 * 1024 * 1024 * 1024L,
> PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
>
> if (m == (void *)-1)
> printf("MMAP Failed: %d\n", m);
> else
> printf("%d : MMAP returned %p\n", i, m);
>
> r = fork();
>
> if (r == 0) {
> printf("%d: successed\n", i);
> return 0;
> } else if (r < 0)
> printf("FORK Failed: %d\n", r);
> else if (r > 0)
> wait(NULL);
> }
> return 0;
> }
>
> This trivial patch increases the storage size of the result to
> unsigned long, which should be sufficient for storing the difference
> between addresses.
>
> Signed-off-by: Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>
Good catch, thank you, remarkable that's survived for so long.
For the patch,
Acked-by: Hugh Dickins <hughd@...gle.com>
Cc: stable@...r.kernel.org
But I didn't (try very hard to) work out what your demo program shows
- though I am amused by your sense of humour in using %d for a pointer
there! I wonder what setting of /proc/sys/vm/overcommit_memory is
needed for it to behave as you intend?
Personally, I wouldn't bother with the demo and describing it more fully,
I'd just be glad to get that fix in at last.
> ---
> kernel/fork.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index b9372a0..7acaee1 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -355,7 +355,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
> }
> charge = 0;
> if (mpnt->vm_flags & VM_ACCOUNT) {
> - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
> + unsigned long len;
> + len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
> if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
> goto fail_nomem;
> charge = len;
> --
> 1.7.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists