lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180914175122.21036-2-rkir@google.com>
Date:   Fri, 14 Sep 2018 10:51:03 -0700
From:   rkir@...gle.com
To:     gregkh@...uxfoundation.org
Cc:     tkjos@...gle.com, linux-kernel@...r.kernel.org,
        Roman Kiryanov <rkir@...gle.com>
Subject: [PATCH 02/21] platform: goldfish: pipe: Prevent memory corruption
 from several threads writing to the same variable

From: Roman Kiryanov <rkir@...gle.com>

Move the "pages" buffer into "struct goldfish_pipe". Since we are
locking the mutex on the pipe in transfer_max_buffers, other threads
willnot be able to write into it, but other pipe instances could be
served because they have its own buffer.

Signed-off-by: Roman Kiryanov <rkir@...gle.com>
---
 drivers/platform/goldfish/goldfish_pipe.c | 24 +++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index b4a484bbcdaa..6ae2b00f4bff 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -163,6 +163,9 @@ struct goldfish_pipe {
 
 	/* Pointer to the parent goldfish_pipe_dev instance */
 	struct goldfish_pipe_dev *dev;
+
+	/* A buffer of pages, too large to fit into a stack frame */
+	struct page *pages[MAX_BUFFERS_PER_COMMAND];
 };
 
 /* The global driver data. Holds a reference to the i/o page used to
@@ -340,21 +343,23 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
 				s32 *consumed_size,
 				int *status)
 {
-	static struct page *pages[MAX_BUFFERS_PER_COMMAND];
 	unsigned long first_page = address & PAGE_MASK;
 	unsigned int iter_last_page_size;
-	int pages_count = pin_user_pages(first_page, last_page,
-					 last_page_size, is_write,
-					 pages, &iter_last_page_size);
-
-	if (pages_count < 0)
-		return pages_count;
+	int pages_count;
 
 	/* Serialize access to the pipe command buffers */
 	if (mutex_lock_interruptible(&pipe->lock))
 		return -ERESTARTSYS;
 
-	populate_rw_params(pages, pages_count, address, address_end,
+	pages_count = pin_user_pages(first_page, last_page,
+				     last_page_size, is_write,
+				     pipe->pages, &iter_last_page_size);
+	if (pages_count < 0) {
+		mutex_unlock(&pipe->lock);
+		return pages_count;
+	}
+
+	populate_rw_params(pipe->pages, pages_count, address, address_end,
 			   first_page, last_page, iter_last_page_size, is_write,
 			   pipe->command_buffer);
 
@@ -364,10 +369,9 @@ static int transfer_max_buffers(struct goldfish_pipe *pipe,
 
 	*consumed_size = pipe->command_buffer->rw_params.consumed_size;
 
-	release_user_pages(pages, pages_count, is_write, *consumed_size);
+	release_user_pages(pipe->pages, pages_count, is_write, *consumed_size);
 
 	mutex_unlock(&pipe->lock);
-
 	return 0;
 }
 
-- 
2.19.0.397.gdd90340f6a-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ