diff options
author | Matthew Wilcox (Oracle) <willy@infradead.org> | 2022-01-10 23:15:27 +0000 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2022-04-13 12:15:50 -0700 |
commit | 4e140f59d285c1ca1e5c81b4c13e27366865bd09 (patch) | |
tree | 0e16718847cb02bacbe823ac5ba388619e46359f /mm/usercopy.c | |
parent | a19944809fe9942e6a96292490717904d0690c21 (diff) | |
download | lwn-4e140f59d285c1ca1e5c81b4c13e27366865bd09.tar.gz lwn-4e140f59d285c1ca1e5c81b4c13e27366865bd09.zip |
mm/usercopy: Check kmap addresses properly
If you are copying to an address in the kmap region, you may not copy
across a page boundary, no matter what the size of the underlying
allocation. You can't kmap() a slab page because slab pages always
come from low memory.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220110231530.665970-2-willy@infradead.org
Diffstat (limited to 'mm/usercopy.c')
-rw-r--r-- | mm/usercopy.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/mm/usercopy.c b/mm/usercopy.c index 2c235d5c2364..ff13e7708faa 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -229,12 +229,16 @@ static inline void check_heap_object(const void *ptr, unsigned long n, if (!virt_addr_valid(ptr)) return; - /* - * When CONFIG_HIGHMEM=y, kmap_to_page() will give either the - * highmem page or fallback to virt_to_page(). The following - * is effectively a highmem-aware virt_to_slab(). - */ - folio = page_folio(kmap_to_page((void *)ptr)); + if (is_kmap_addr(ptr)) { + unsigned long page_end = (unsigned long)ptr | (PAGE_SIZE - 1); + + if ((unsigned long)ptr + n - 1 > page_end) + usercopy_abort("kmap", NULL, to_user, + offset_in_page(ptr), n); + return; + } + + folio = virt_to_folio(ptr); if (folio_test_slab(folio)) { /* Check slab allocator for flags and size. */ |