lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 22 Mar 2019 12:15:51 +0100
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,, Roman Penyaev <>,
        Michal Hocko <>,
        Andrey Ryabinin <>,
        Joe Perches <>,
        "Luis R. Rodriguez" <>,
        Andrew Morton <>,
        Linus Torvalds <>
Subject: [PATCH 4.9 079/118] mm/vmalloc: fix size check for remap_vmalloc_range_partial()

4.9-stable review patch.  If anyone has any objections, please let me know.


From: Roman Penyaev <>

commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream.

When VM_NO_GUARD is not set area->size includes adjacent guard page,
thus for correct size checking get_vm_area_size() should be used, but
not area->size.

This fixes possible kernel oops when userspace tries to mmap an area on
1 page bigger than was allocated by vmalloc_user() call: the size check
inside remap_vmalloc_range_partial() accounts non-existing guard page
also, so check successfully passes but vmalloc_to_page() returns NULL
(guard page does not physically exist).

The following code pattern example should trigger an oops:

  static int oops_mmap(struct file *file, struct vm_area_struct *vma)
        void *mem;

        mem = vmalloc_user(4096);
        /* Do not care about mem leak */

        return remap_vmalloc_range(vma, mem, 0);

And userspace simply mmaps size + PAGE_SIZE:


Possible candidates for oops which do not have any explicit size

   *** drivers/media/usb/stkwebcam/stk-webcam.c:
   v4l_stk_mmap[789]   ret = remap_vmalloc_range(vma, sbuf->buffer, 0);

Or the following one:

   *** drivers/video/fbdev/core/fbmem.c
   static int
   fb_mmap(struct file *file, struct vm_area_struct * vma)
        res = fb->fb_mmap(info, vma);

Where fb_mmap callback calls remap_vmalloc_range() directly without any
explicit checks:

   *** drivers/video/fbdev/vfb.c
   static int vfb_mmap(struct fb_info *info,
             struct vm_area_struct *vma)
       return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff);

Signed-off-by: Roman Penyaev <>
Acked-by: Michal Hocko <>
Cc: Andrey Ryabinin <>
Cc: Joe Perches <>
Cc: "Luis R. Rodriguez" <>
Cc: <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>

 mm/vmalloc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -2191,7 +2191,7 @@ int remap_vmalloc_range_partial(struct v
 	if (!(area->flags & VM_USERMAP))
 		return -EINVAL;
-	if (kaddr + size > area->addr + area->size)
+	if (kaddr + size > area->addr + get_vm_area_size(area))
 		return -EINVAL;
 	do {

Powered by blists - more mailing lists