| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2022 14:34:25 +0100
From: Matthew Wilcox <willy@...radead.org>
To: Miaohe Lin <linmiaohe@...wei.com>
Cc: akpm@...ux-foundation.org, pasha.tatashin@...een.com,
rientjes@...gle.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm/page_table_check: fix accessing unmapped ptep
On Thu, May 26, 2022 at 07:33:50PM +0800, Miaohe Lin wrote:
> ptep is unmapped too early, so ptep will be accessed while it's unmapped.
> Fix it by deferring pte_unmap() until page table checking is done.
>
> Fixes: 80110bbfbba6 ("mm/page_table_check: check entries at pmd levels")
> Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
> ---
> mm/page_table_check.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/page_table_check.c b/mm/page_table_check.c
> index 3692bea2ea2c..971c3129b0e3 100644
> --- a/mm/page_table_check.c
> +++ b/mm/page_table_check.c
> @@ -234,11 +234,11 @@ void __page_table_check_pte_clear_range(struct mm_struct *mm,
> pte_t *ptep = pte_offset_map(&pmd, addr);
> unsigned long i;
>
> - pte_unmap(ptep);
> for (i = 0; i < PTRS_PER_PTE; i++) {
> __page_table_check_pte_clear(mm, addr, *ptep);
> addr += PAGE_SIZE;
> ptep++;
> }
> + pte_unmap(ptep);
But ptep was mutated in the loop. So surely this needs to be:
pte_unmap(ptep - PTRS_PER_PTE);
or you'll be unmapping the wrong page.
Powered by blists - more mailing lists