| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Nov 2022 18:23:55 +0800
From: Baoquan He <bhe@...hat.com>
To: Stephen Brennan <stephen.s.brennan@...cle.com>
Cc: linux-kernel@...r.kernel.org, linux-mm@...ck.org,
akpm@...ux-foundation.org, urezki@...il.com, hch@...radead.org
Subject: Re: [PATCH RFC 3/3] mm/vmalloc.c: allow vread() to read out
vm_map_ram areas
On 11/09/22 at 04:59pm, Stephen Brennan wrote:
......
> > @@ -3569,12 +3609,14 @@ long vread(char *buf, char *addr, unsigned long count)
> > if (!count)
> > break;
> >
> > - if (!va->vm)
> > + if (!(va->flags & VMAP_RAM) && !va->vm)
> > continue;
> >
> > vm = va->vm;
> > - vaddr = (char *) vm->addr;
> > - if (addr >= vaddr + get_vm_area_size(vm))
> > + vaddr = (char *) va->va_start;
> > + size = vm ? get_vm_area_size(vm) : va_size(va);
>
> Hi Baoquan,
>
> Thanks for working on this. I tested your patches out by using drgn to
> debug /proc/kcore. I have a kernel module[1] to do a vm_map_ram() call
> and print the virtual address to the kernel log so I can try to read
> that memory address in drgn. When I did this test, I got a panic on the
> above line of code.
......
> Since flags is in a union, it shadows "vm" and causes the condition to
> be true, and then get_vm_area_size() tries to follow the pointer defined
> by flags. I'm not sure if the fix is to have flags be a separate field
> inside vmap_area, or to have more careful handling in the vread path.
Sorry, my bad. Thanks for testing this and catching the error, Stephen.
About the fix, both way are fine to me. I made a draft fix based on the
current patchset. To me, adding flags in a separate field makes code
easier, but cost extra memory. I will see what other people say about
this, firstly if the solution is acceptable, then reusing the union
field or adding anohter flags.
Could you try below code to see if it works?
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 5a8d5659bfb0..78cae59170d8 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1890,6 +1890,7 @@ struct vmap_area *find_vmap_area(unsigned long addr)
#define VMAP_RAM 0x1
#define VMAP_BLOCK 0x2
+#define VMAP_FLAGS_MASK 0x3
struct vmap_block_queue {
spinlock_t lock;
@@ -3588,7 +3589,7 @@ long vread(char *buf, char *addr, unsigned long count)
struct vm_struct *vm;
char *vaddr, *buf_start = buf;
unsigned long buflen = count;
- unsigned long n, size;
+ unsigned long n, size, flags;
addr = kasan_reset_tag(addr);
@@ -3609,12 +3610,14 @@ long vread(char *buf, char *addr, unsigned long count)
if (!count)
break;
- if (!(va->flags & VMAP_RAM) && !va->vm)
+ if (!va->vm)
continue;
+ flags = va->flags & VMAP_FLAGS_MASK;
vm = va->vm;
+
vaddr = (char *) va->va_start;
- size = vm ? get_vm_area_size(vm) : va_size(va);
+ size = flags ? va_size(va) : get_vm_area_size(vm);
if (addr >= vaddr + size)
continue;
@@ -3630,9 +3633,9 @@ long vread(char *buf, char *addr, unsigned long count)
if (n > count)
n = count;
- if ((va->flags & (VMAP_RAM|VMAP_BLOCK)) == (VMAP_RAM|VMAP_BLOCK))
+ if ((flags & (VMAP_RAM|VMAP_BLOCK)) == (VMAP_RAM|VMAP_BLOCK))
vb_vread(buf, addr, n);
- else if ((va->flags & VMAP_RAM) || !(vm->flags & VM_IOREMAP))
+ else if ((flags & VMAP_RAM) || !(vm->flags & VM_IOREMAP))
aligned_vread(buf, addr, n);
else /* IOREMAP area is treated as memory hole */
memset(buf, 0, n);
Powered by blists - more mailing lists