lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 15 Apr 2023 19:36:06 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:     Lorenzo Stoakes <lstoakes@...il.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 3/7] mm/gup: remove vmas parameter from
 get_user_pages_remote()

On 2023/04/15 19:14, Lorenzo Stoakes wrote:
> On Sat, Apr 15, 2023 at 06:52:41PM +0900, Tetsuo Handa wrote:
>> On 2023/04/15 18:08, Lorenzo Stoakes wrote:
>>> @@ -475,10 +474,14 @@ int uprobe_write_opcode(struct arch_uprobe *auprobe, struct mm_struct *mm,
>>>  		gup_flags |= FOLL_SPLIT_PMD;
>>>  	/* Read the page with vaddr into memory */
>>>  	ret = get_user_pages_remote(mm, vaddr, 1, gup_flags,
>>> -				    &old_page, &vma, NULL);
>>> +				    &old_page, NULL);
>>>  	if (ret <= 0)
>>>  		return ret;
>>>
>>> +	vma = vma_lookup(mm, vaddr);
>>> +	if (!vma)
>>> +		goto put_old;
>>> +
>>>  	ret = verify_opcode(old_page, vaddr, &opcode);
>>>  	if (ret <= 0)
>>>  		goto put_old;
>>
>> This conversion looks wrong.
>> This causes returning a positive number when vma_lookup() returned NULL.
>>
>>   * Return 0 (success) or a negative errno.
>>
> 
> In reality it shouldn't be possible for vma to return NULL, I'm adding the
> checks to be extra careful.
> 
> In any case you're right, attaching a -fix patch to avoid spam:-

If you want to return -EINVAL when vma_lookup() returned NULL for whatever
unexpected reason, returning -EOPNOTSUPP in below path looks strange.

> @@ -448,7 +448,8 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr,
>  		 * would cause the existing tags to be cleared if the page
>  		 * was never mapped with PROT_MTE.
>  		 */
> -		if (!(vma->vm_flags & VM_MTE)) {
> +		vma = vma_lookup(mm, addr);
> +		if (!vma || !(vma->vm_flags & VM_MTE)) {
>  			ret = -EOPNOTSUPP;
>  			put_page(page);
>  			break;

Also,

> @@ -5591,7 +5591,9 @@ int __access_remote_vm(struct mm_struct *mm, unsigned long addr, void *buf,
>  		struct page *page = NULL;
>  
>  		ret = get_user_pages_remote(mm, addr, 1,
> -				gup_flags, &page, &vma, NULL);
> +				gup_flags, &page, NULL);
> +		vma = vma_lookup(mm, addr);
> +
>  		if (ret <= 0) {
>  #ifndef CONFIG_HAVE_IOREMAP_PROT
>  			break;
> @@ -5600,7 +5602,6 @@ int __access_remote_vm(struct mm_struct *mm, unsigned long addr, void *buf,
>  			 * Check if this is a VM_IO | VM_PFNMAP VMA, which
>  			 * we can access using slightly different code.
>  			 */
> -			vma = vma_lookup(mm, addr);
>  			if (!vma)
>  				break;
>  			if (vma->vm_ops && vma->vm_ops->access)
> @@ -5617,11 +5618,11 @@ int __access_remote_vm(struct mm_struct *mm, unsigned long addr, void *buf,
>  				bytes = PAGE_SIZE-offset;
>  
>  			maddr = kmap(page);
> -			if (write) {
> +			if (write && vma) {
>  				copy_to_user_page(vma, page, addr,
>  						  maddr + offset, buf, bytes);
>  				set_page_dirty_lock(page);
> -			} else {
> +			} else if (vma) {
>  				copy_from_user_page(vma, page, addr,
>  						    buf, maddr + offset, bytes);
>  			}

not calling copy_{from,to}_user_page() if vma == NULL is not sufficient for
propagating an error to caller.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ