| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220902232732.12358-1-rick.p.edgecombe@intel.com>
Date: Fri, 2 Sep 2022 16:27:32 -0700
From: Rick Edgecombe <rick.p.edgecombe@...el.com>
To: pasha.tatashin@...een.com, akpm@...ux-foundation.org,
linux-mm@...ck.org
Cc: rick.p.edgecombe@...el.com, linux-kernel@...r.kernel.org
Subject: [PATCH] mm: Check writable zero page in page table check
The zero page should remain all zero, so that it can be mapped as
read-only for read faults of memory that should be zeroed. If it is ever
mapped writable to userspace, it could become non-zero and so other apps
would unexpectedly get non-zero data. So the zero page should never be
mapped writable to userspace. Check for this condition in
page_table_check_set().
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
---
Hi,
CONFIG_PAGE_TABLE_CHECK is pretty explicit about what it checks (and
doesn't mention the zero page), but this condition seems to fit with the
general category of "pages mapped wrongly to userspace". I added it
locally to help me debug something. Maybe it's more widely useful.
mm/page_table_check.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/page_table_check.c b/mm/page_table_check.c
index e2062748791a..665ece0d55d4 100644
--- a/mm/page_table_check.c
+++ b/mm/page_table_check.c
@@ -102,6 +102,8 @@ static void page_table_check_set(struct mm_struct *mm, unsigned long addr,
if (!pfn_valid(pfn))
return;
+ BUG_ON(is_zero_pfn(pfn) && rw);
+
page = pfn_to_page(pfn);
page_ext = lookup_page_ext(page);
anon = PageAnon(page);
base-commit: b90cb1053190353cc30f0fef0ef1f378ccc063c5
--
2.17.1
Powered by blists - more mailing lists