[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210301161212.922181446@linuxfoundation.org>
Date: Mon, 1 Mar 2021 17:14:36 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Johannes Berg <johannes.berg@...el.com>,
Richard Weinberger <richard@....at>
Subject: [PATCH 5.10 628/663] um: mm: check more comprehensively for stub changes
From: Johannes Berg <johannes.berg@...el.com>
commit 47da29763ec9a153b9b685bff9db659e4e09e494 upstream.
If userspace tries to change the stub, we need to kill it,
because otherwise it can escape the virtual machine. In a
few cases the stub checks weren't good, e.g. if userspace
just tries to
mmap(0x100000 - 0x1000, 0x3000, ...)
it could succeed to get a new private/anonymous mapping
replacing the stubs. Fix this by checking everywhere, and
checking for _overlap_, not just direct changes.
Cc: stable@...r.kernel.org
Fixes: 3963333fe676 ("uml: cover stubs with a VMA")
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Signed-off-by: Richard Weinberger <richard@....at>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
arch/um/kernel/tlb.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/arch/um/kernel/tlb.c
+++ b/arch/um/kernel/tlb.c
@@ -125,6 +125,9 @@ static int add_mmap(unsigned long virt,
struct host_vm_op *last;
int fd = -1, ret = 0;
+ if (virt + len > STUB_START && virt < STUB_END)
+ return -EINVAL;
+
if (hvc->userspace)
fd = phys_mapping(phys, &offset);
else
@@ -162,7 +165,7 @@ static int add_munmap(unsigned long addr
struct host_vm_op *last;
int ret = 0;
- if ((addr >= STUB_START) && (addr < STUB_END))
+ if (addr + len > STUB_START && addr < STUB_END)
return -EINVAL;
if (hvc->index != 0) {
@@ -192,6 +195,9 @@ static int add_mprotect(unsigned long ad
struct host_vm_op *last;
int ret = 0;
+ if (addr + len > STUB_START && addr < STUB_END)
+ return -EINVAL;
+
if (hvc->index != 0) {
last = &hvc->ops[hvc->index - 1];
if ((last->type == MPROTECT) &&
@@ -472,6 +478,10 @@ void flush_tlb_page(struct vm_area_struc
struct mm_id *mm_id;
address &= PAGE_MASK;
+
+ if (address >= STUB_START && address < STUB_END)
+ goto kill;
+
pgd = pgd_offset(mm, address);
if (!pgd_present(*pgd))
goto kill;
Powered by blists - more mailing lists