lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 4 Jan 2017 12:45:32 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Robin Murphy <robin.murphy@....com>
Cc:     Jason@...c4.com, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH] drivers: char: mem: Fix thinko in kmem address checks

On Wed, Jan 04, 2017 at 11:37:49AM +0000, Robin Murphy wrote:
> When borrowing the pfn_valid() check from mmap_kmem(), somebody managed

"sombody"?  :)

> to get physical and virtual addresses spectacularly muddled up, such
> that we've ended up with checks for one being the other. Whilst this
> does indeed prevent out-of-bounds accesses crashing, on most systems it
> also prevents the more desirable use-case of working at all ever.
> 
> Check the *virtual* offset correctly for what it is.
> 
> Reported-by: Jason A. Donenfeld <Jason@...c4.com>
> CC: stable@...r.kernel.org
> Fixes: 148a1bc84398 ("drivers: char: mem: Check {read,write}_kmem() addresses")
> Signed-off-by: Robin Murphy <robin.murphy@....com>
> ---
>  drivers/char/mem.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/char/mem.c b/drivers/char/mem.c
> index 5bb1985ec484..bdc6a4018604 100644
> --- a/drivers/char/mem.c
> +++ b/drivers/char/mem.c
> @@ -381,7 +381,7 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
>  	char *kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
>  	int err = 0;
>  
> -	if (!pfn_valid(PFN_DOWN(p)))
> +	if (!virt_addr_valid(p))
>  		return -EIO;
>  
>  	read = 0;
> @@ -512,7 +512,7 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
>  	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
>  	int err = 0;
>  
> -	if (!pfn_valid(PFN_DOWN(p)))
> +	if (!virt_addr_valid(p))
>  		return -EIO;
>  
>  	if (p < (unsigned long) high_memory) {

Jason, can you verify this fixes your test case?

thanks,

greg k-h

Powered by blists - more mailing lists