| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <033294ee-e6e6-4dca-b60c-019cb72a6857@grimberg.me> Date: Mon, 17 Jun 2024 09:29:53 +0300 From: Sagi Grimberg <sagi@...mberg.me> To: Matthew Wilcox <willy@...radead.org> Cc: kernel test robot <oliver.sang@...el.com>, oe-lkp@...ts.linux.dev, lkp@...el.com, netdev@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org> Subject: Re: [PATCH] net: micro-optimize skb_datagram_iter On 17/06/2024 0:56, Matthew Wilcox wrote: > On Sun, Jun 16, 2024 at 12:24:28PM +0300, Sagi Grimberg wrote: >>> [ 13.495377][ T189] ------------[ cut here ]------------ >>> [ 13.495862][ T189] kernel BUG at mm/usercopy.c:102! >>> [ 13.496372][ T189] Oops: invalid opcode: 0000 [#1] PREEMPT SMP >>> [ 13.496927][ T189] CPU: 0 PID: 189 Comm: systemctl Not tainted 6.10.0-rc2-00258-g18f0423b9ecc #1 >>> [ 13.497741][ T189] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 >>> [ 13.498663][ T189] EIP: usercopy_abort (mm/usercopy.c:102 (discriminator 12)) >>> [ 13.499424][ T194] usercopy: Kernel memory exposure attempt detected from kmap (offset 0, size 8192)! >> Hmm, not sure I understand exactly why changing kmap() to kmap_local_page() >> expose this, >> but it looks like mm/usercopy does not like size=8192 when copying for the >> skb frag. >> >> quick git browse directs to: >> -- >> commit 4e140f59d285c1ca1e5c81b4c13e27366865bd09 >> Author: Matthew Wilcox (Oracle) <willy@...radead.org> >> Date: Mon Jan 10 23:15:27 2022 +0000 >> >> mm/usercopy: Check kmap addresses properly >> >> If you are copying to an address in the kmap region, you may not copy >> across a page boundary, no matter what the size of the underlying >> allocation. You can't kmap() a slab page because slab pages always >> come from low memory. >> >> Signed-off-by: Matthew Wilcox (Oracle) <willy@...radead.org> >> Acked-by: Kees Cook <keescook@...omium.org> >> Signed-off-by: Kees Cook <keescook@...omium.org> >> Link: >> https://lore.kernel.org/r/20220110231530.665970-2-willy@infradead.org >> -- >> >> CCing willy. >> >> The documentation suggest that under single-context usage kmap() can be >> freely converted >> to kmap_local_page()? But seems that when using kmap() the size is not an >> issue, still trying to >> understand why. > Probably because kmap() returns page_address() for non-highmem pages > while kmap_local_page() actually returns a kmap address: > > if (!IS_ENABLED(CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP) && !PageHighMem(page)) > return page_address(page); > return __kmap_local_pfn_prot(page_to_pfn(page), prot); > > so if skb frags are always lowmem (are they?) this is a false positive. AFAIR these buffers are coming from the RX ring, so they should be coming from a page_frag_cache, so I want to say always low memory? > if they can be highmem, then you've uncovered a bug that nobody's > noticed because nobody's testing on 32-bit any more. Not sure, Jakub? Eric?
Powered by blists - more mailing lists