| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 May 2023 01:37:03 +0200
From: David Hildenbrand <david@...hat.com>
To: Pasha Tatashin <pasha.tatashin@...een.com>
Cc: Matthew Wilcox <willy@...radead.org>,
Ruihan Li <lrh2000@....edu.cn>,
syzbot+fcf1a817ceb50935ce99@...kaller.appspotmail.com,
akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, gregkh@...uxfoundation.org,
linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: usbdev_mmap causes type confusion in page_table_check
On 09.05.23 01:21, Pasha Tatashin wrote:
>> For normal Kernel-MM operations, vm_normal_page() should be used to
>> get "struct page" based on vma+addr+pte combination, but
>> page_table_check does not use vma for its operation in order to
>> strengthen the verification of no invalid page sharing. But, even
I'm not sure if that's the right approach for this case here, though.
>> vm_normal_page() can cause access to the "struct page" for VM_PFNMAP
>> if pfn_valid(pfn) is true. So, vm_normal_page() can return a struct
>> page for a user mapped slab page.
>
> Only for !ARCH_HAS_PTE_SPECIAL case, otherwise NULL is returned.
That would violate VM_PFNMAP semantics, though. I remember that there
was a trick to it.
Assuming we map /dev/mem, what stops a page we mapped and determined to
be !anon to be freed and reused, such that we suddenly have an anon page
mappped?
In that case, we really don't want to look at the "struct page" ever, no?
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists