lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20180430160436.45f92ec5b3c78c84e4425ec4@linux-foundation.org>
Date:   Mon, 30 Apr 2018 16:04:36 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Chintan Pandya <cpandya@...eaurora.org>
Cc:     vbabka@...e.cz, labbott@...hat.com, catalin.marinas@....com,
        hannes@...xchg.org, f.fainelli@...il.com, xieyisheng1@...wei.com,
        ard.biesheuvel@...aro.org, richard.weiyang@...il.com,
        byungchul.park@....com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, khandual@...ux.vnet.ibm.com,
        mhocko@...nel.org
Subject: Re: [PATCH v2 2/2] mm: vmalloc: Pass proper vm_start into
 debugobjects

On Tue, 17 Apr 2018 16:13:48 +0530 Chintan Pandya <cpandya@...eaurora.org> wrote:

> Client can call vunmap with some intermediate 'addr'
> which may not be the start of the VM area. Entire
> unmap code works with vm->vm_start which is proper
> but debug object API is called with 'addr'. This
> could be a problem within debug objects.

As far as I can tell this is indeed the case, but it's a pretty weird
thing for us to do.  I wonder if there is any code in the kernel which
is passing such an offset address into vunmap().  If so, perhaps we
should check for it and do a WARN_ONCE so it gets fixed.

> Pass proper start address into debug object API.
>
> ...
>
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -1124,15 +1124,15 @@ void vm_unmap_ram(const void *mem, unsigned int count)
>  	BUG_ON(addr > VMALLOC_END);
>  	BUG_ON(!PAGE_ALIGNED(addr));
>  
> -	debug_check_no_locks_freed(mem, size);
> -
>  	if (likely(count <= VMAP_MAX_ALLOC)) {
> +		debug_check_no_locks_freed(mem, size);

But this still has the problem you described, no?  Shouldn't we be
doing yet another find_vmap_area()?

>  		vb_free(mem, size);
>  		return;
>  	}
>  
>  	va = find_vmap_area(addr);
>  	BUG_ON(!va);
> +	debug_check_no_locks_freed(va->va_start, (va->va_end - va->va_start));
>  	free_unmap_vmap_area(va);
>  }
>  EXPORT_SYMBOL(vm_unmap_ram);
> @@ -1507,8 +1507,8 @@ static void __vunmap(const void *addr, int deallocate_pages)
>  		return;
>  	}
>  
> -	debug_check_no_locks_freed(addr, get_vm_area_size(area));
> -	debug_check_no_obj_freed(addr, get_vm_area_size(area));
> +	debug_check_no_locks_freed(area->addr, get_vm_area_size(area));
> +	debug_check_no_obj_freed(area->addr, get_vm_area_size(area));
>  

Offtopic: it's a bit sad that __vunmap() does the find_vmap_area() then
calls remove_vm_area() which runs find_vmap_area() yet again...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ