lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20251009000356.8e18395dd9979045e0c66de2@linux-foundation.org>
Date: Thu, 9 Oct 2025 00:03:56 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: "Huang, Ying" <ying.huang@...ux.alibaba.com>
Cc: Yadong Qi <yadong.qi@...ux.alibaba.com>, urezki@...il.com,
 linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] mm: vmalloc: WARN_ON if mapping size is not
 PAGE_SIZE aligned

On Thu, 09 Oct 2025 14:38:27 +0800 "Huang, Ying" <ying.huang@...ux.alibaba.com> wrote:

> Yadong Qi <yadong.qi@...ux.alibaba.com> writes:
> 
> > In mm/vmalloc.c, the function vmap_pte_range() assumes that the
> > mapping size is aligned to PAGE_SIZE. If this assumption is
> > violated, the loop will become infinite because the termination
> > condition (`addr != end`) will never be met. This can lead to
> > overwriting other VA ranges and/or random pages physically follow
> > the page table.
> >
> > It's the caller's responsibility to ensure that the mapping size
> > is aligned to PAGE_SIZE. However, the memory corruption is hard
> > to root cause. To identify the programming error in the caller
> > easier, check whether the mapping size is PAGE_SIZE aligned with
> > WARN_ON().
> >
> > Signed-off-by: Yadong Qi <yadong.qi@...ux.alibaba.com>
> > Reviewed-by: Huang Ying <ying.huang@...ux.alibaba.com>
> > ---
> > v1 -> v2:
> >   * Use WARN_ON instead of BUG_ON
> > ---
> >  mm/vmalloc.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> > index 5edd536ba9d2..2cad593e4677 100644
> > --- a/mm/vmalloc.c
> > +++ b/mm/vmalloc.c
> > @@ -100,6 +100,9 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
> >  	struct page *page;
> >  	unsigned long size = PAGE_SIZE;
> >  
> > +	if (WARN_ON(!PAGE_ALIGNED(end - addr)))
> > +		return -ENOMEM;
> > +
> 
> EINVAL?
> 

If this errno gets returned to userspace somehow, programmer is going
to wonder what was invalid about the arguments which the program passed
to the kernel.

But either way, the callers of vmap_pte_range() should be audited, to
verify that they take appropriate action when this happens.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ