| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Mar 2022 15:11:30 +0800
From: Chen Jiahao <chenjiahao16@...wei.com>
To: <arnd@...db.de>, <ebiederm@...ssion.com>, <sam@...nborg.org>,
<shorne@...il.com>, <dinguyen@...nel.org>,
<linux-arch@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH -next] uaccess: fix __access_ok limit setup in compat mode
In __access_ok, TASK_SIZE_MAX is used to check if a memory access
is in user address space, but some cases may get omitted in compat
mode.
For example, a 32-bit testcase calling pread64(fd, buf, -1, 1)
and running in x86-64 kernel, the obviously illegal size "-1" will
get ignored by __access_ok. Since from the kernel point of view,
32-bit userspace 0xffffffff is within the limit of 64-bit
TASK_SIZE_MAX.
Replacing the limit TASK_SIZE_MAX with TASK_SIZE in __access_ok
will fix the problem above.
Fixes: 967747bbc084 ("uaccess: remove CONFIG_SET_FS")
Signed-off-by: Chen Jiahao <chenjiahao16@...wei.com>
---
include/asm-generic/access_ok.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/asm-generic/access_ok.h b/include/asm-generic/access_ok.h
index 2866ae61b1cd..824a6bf1c32f 100644
--- a/include/asm-generic/access_ok.h
+++ b/include/asm-generic/access_ok.h
@@ -30,7 +30,7 @@
*/
static inline int __access_ok(const void __user *ptr, unsigned long size)
{
- unsigned long limit = TASK_SIZE_MAX;
+ unsigned long limit = TASK_SIZE;
unsigned long addr = (unsigned long)ptr;
if (IS_ENABLED(CONFIG_ALTERNATE_USER_ADDRESS_SPACE) ||
--
2.31.1
Powered by blists - more mailing lists