| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220713145854.147356-1-mlombard@redhat.com>
Date: Wed, 13 Jul 2022 16:58:54 +0200
From: Maurizio Lombardi <mlombard@...hat.com>
To: alexander.duyck@...il.com
Cc: kuba@...nel.org, akpm@...ux-foundation.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
chen45464546@....com
Subject: [PATCH] mm: prevent page_frag_alloc() from corrupting the memory
A number of drivers call page_frag_alloc() with a
fragment's size > PAGE_SIZE.
In low memory conditions, __page_frag_cache_refill() may fail the order 3
cache allocation and fall back to order 0;
In this case, the cache will be smaller than the fragment, causing
memory corruptions.
Prevent this from happening by checking if the newly allocated cache
is large enough for the fragment; if not, the allocation will fail
and page_frag_alloc() will return NULL.
V2: do not free the cache page because this could make memory pressure
even worse, just return NULL.
Signed-off-by: Maurizio Lombardi <mlombard@...hat.com>
---
mm/page_alloc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index e008a3df0485..b1407254a826 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -5617,6 +5617,8 @@ void *page_frag_alloc_align(struct page_frag_cache *nc,
/* reset page count bias and offset to start of new frag */
nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1;
offset = size - fragsz;
+ if (unlikely(offset < 0))
+ return NULL;
}
nc->pagecnt_bias--;
--
2.31.1
Powered by blists - more mailing lists