| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220713084536.1af461b016a16c58baad7db2@linux-foundation.org>
Date: Wed, 13 Jul 2022 08:45:36 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Maurizio Lombardi <mlombard@...hat.com>
Cc: alexander.duyck@...il.com, kuba@...nel.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
chen45464546@....com
Subject: Re: [PATCH V2] mm: prevent page_frag_alloc() from corrupting the
memory
On Wed, 13 Jul 2022 17:01:43 +0200 Maurizio Lombardi <mlombard@...hat.com> wrote:
> A number of drivers call page_frag_alloc() with a
> fragment's size > PAGE_SIZE.
> In low memory conditions, __page_frag_cache_refill() may fail the order 3
> cache allocation and fall back to order 0;
> In this case, the cache will be smaller than the fragment, causing
> memory corruptions.
>
> Prevent this from happening by checking if the newly allocated cache
> is large enough for the fragment; if not, the allocation will fail
> and page_frag_alloc() will return NULL.
>
> ...
>
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -5617,6 +5617,8 @@ void *page_frag_alloc_align(struct page_frag_cache *nc,
> /* reset page count bias and offset to start of new frag */
> nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1;
> offset = size - fragsz;
> + if (unlikely(offset < 0))
> + return NULL;
> }
>
> nc->pagecnt_bias--;
I think we should have a comment here explaining (at least) why we'd
bale after a successful allocation and explaining why we don't call
free_the_page().
Powered by blists - more mailing lists