lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20220329173155.172439-1-pbonzini@redhat.com>
Date:   Tue, 29 Mar 2022 13:31:55 -0400
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Cc:     seanjc@...gle.com,
        syzbot+6bde52d89cfdf9f61425@...kaller.appspotmail.com,
        linux-mm@...ck.org, akpm@...ux-foundation.org,
        stable@...r.kernel.org
Subject: [PATCH] mm: avoid pointless invalidate_range_start/end on mremap(old_size=0)

If an mremap() syscall with old_size=0 ends up in move_page_tables(),
it will call invalidate_range_start()/invalidate_range_end() unnecessarily,
i.e. with an empty range.

This causes a WARN in KVM's mmu_notifier.  In the past, empty ranges
have been diagnosed to be off-by-one bugs, hence the WARNing.
Given the low (so far) number of unique reports, the benefits of
detecting more buggy callers seem to outweigh the cost of having
to fix cases such as this one, where userspace is doing something
silly.  In this particular case, an early return from move_page_tables()
is enough to fix the issue.

Reported-by: syzbot+6bde52d89cfdf9f61425@...kaller.appspotmail.com
Cc: linux-mm@...ck.org
Cc: akpm@...ux-foundation.org
Cc: stable@...r.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@...hat.com>
---
 mm/mremap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/mremap.c b/mm/mremap.c
index 002eec83e91e..0e175aef536e 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -486,6 +486,9 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
 	pmd_t *old_pmd, *new_pmd;
 	pud_t *old_pud, *new_pud;
 
+	if (!len)
+		return 0;
+
 	old_end = old_addr + len;
 	flush_cache_range(vma, old_addr, old_end);
 
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ