LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* Re: [PATCH] Avoid buffer overflows in get_user_pages()
       [not found] ` <fa.NNs+hqAlLlf93+yNZ/YJzSyGQbs@ifi.uio.no>
@ 2008-02-12  3:16   ` Robert Hancock
  2008-02-12  5:56     ` Nick Piggin
  0 siblings, 1 reply; 9+ messages in thread
From: Robert Hancock @ 2008-02-12  3:16 UTC (permalink / raw)
  To: Nick Piggin; +Cc: Jonathan Corbet, linux-kernel, akpm, torvalds

Nick Piggin wrote:
> On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
>> Avoid buffer overflows in get_user_pages()
>>
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit?  It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>>
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1.  At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().
>>
>> I think that, if get_user_pages() has been asked to grab zero pages,
>> that's what it should do.  Thus this patch; it is, among other things,
>> enough to block the (already fixed) root exploit and any others which
>> might be lurking in similar code.  I also think that the number of pages
>> should be unsigned, but changing the prototype of this function probably
>> requires some more careful review.
>>
>> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index e5628a5..7f50fd8 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
>> mm_struct *mm, int i;
>>  	unsigned int vm_flags;
>>
>> +	if (len <= 0)
>> +		return 0;
> 
> BUG_ON()?

Well, not if the code involved in the exploit can pass a zero value, 
otherwise it's just turning it into a DoS..

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages()
  2008-02-12  3:16   ` [PATCH] Avoid buffer overflows in get_user_pages() Robert Hancock
@ 2008-02-12  5:56     ` Nick Piggin
  0 siblings, 0 replies; 9+ messages in thread
From: Nick Piggin @ 2008-02-12  5:56 UTC (permalink / raw)
  To: Robert Hancock; +Cc: Jonathan Corbet, linux-kernel, akpm, torvalds

On Tuesday 12 February 2008 14:16, Robert Hancock wrote:
> Nick Piggin wrote:
> > On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
> >> Avoid buffer overflows in get_user_pages()
> >>
> >> So I spent a while pounding my head against my monitor trying to figure
> >> out the vmsplice() vulnerability - how could a failure to check for
> >> *read* access turn into a root exploit?  It turns out that it's a buffer
> >> overflow problem which is made easy by the way get_user_pages() is
> >> coded.
> >>
> >> In particular, "len" is a signed int, and it is only checked at the
> >> *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
> >> will execute once and decrement len to -1.  At that point, the loop will
> >> proceed until the next invalid address is found; in the process, it will
> >> likely overflow the pages array passed in to get_user_pages().
> >>
> >> I think that, if get_user_pages() has been asked to grab zero pages,
> >> that's what it should do.  Thus this patch; it is, among other things,
> >> enough to block the (already fixed) root exploit and any others which
> >> might be lurking in similar code.  I also think that the number of pages
> >> should be unsigned, but changing the prototype of this function probably
> >> requires some more careful review.
> >>
> >> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
> >>
> >> diff --git a/mm/memory.c b/mm/memory.c
> >> index e5628a5..7f50fd8 100644
> >> --- a/mm/memory.c
> >> +++ b/mm/memory.c
> >> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
> >> mm_struct *mm, int i;
> >>  	unsigned int vm_flags;
> >>
> >> +	if (len <= 0)
> >> +		return 0;
> >
> > BUG_ON()?
>
> Well, not if the code involved in the exploit can pass a zero value,

Which is a bug, and you want to catch it.


> otherwise it's just turning it into a DoS..

If it is due to a security bug, then the fix is to fix the point
where the kernel starts trusting an untrusted value. Not to hide
the bug like this. Arguably, a BUG_ON is better in the case of a
security hole because you want to halt the process as soon as you
detect a problem.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages() 
  2008-02-14 16:45 ` Oliver Pinter
@ 2008-02-14 21:09   ` Jonathan Corbet
  0 siblings, 0 replies; 9+ messages in thread
From: Jonathan Corbet @ 2008-02-14 21:09 UTC (permalink / raw)
  To: Oliver Pinter; +Cc: linux-kernel, akpm, torvalds

Oliver Pinter <oliver.pntr@gmail.com> wrote:

> for stable (.22 .23 .24) ?
> 
> git id in mainline: 900cf086fd2fbad07f72f4575449e0d0958f860f

I sent it to the stable folks a couple days ago.

Thanks,

jon

Jonathan Corbet / LWN.net / corbet@lwn.net

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages()
  2008-02-11 23:17 Jonathan Corbet
  2008-02-11 23:45 ` Nick Piggin
  2008-02-12  7:46 ` Andrew Morton
@ 2008-02-14 16:45 ` Oliver Pinter
  2008-02-14 21:09   ` Jonathan Corbet
  2 siblings, 1 reply; 9+ messages in thread
From: Oliver Pinter @ 2008-02-14 16:45 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, akpm, torvalds, Jonathan Corbet

for stable (.22 .23 .24) ?

git id in mainline: 900cf086fd2fbad07f72f4575449e0d0958f860f

--

tested in: http://repo.or.cz/w/linux-2.6.22.y-op.git testing

On 2/12/08, Jonathan Corbet <corbet@lwn.net> wrote:
> Avoid buffer overflows in get_user_pages()
>
> So I spent a while pounding my head against my monitor trying to figure
> out the vmsplice() vulnerability - how could a failure to check for
> *read* access turn into a root exploit? It turns out that it's a buffer
> overflow problem which is made easy by the way get_user_pages() is
> coded.
>
> In particular, "len" is a signed int, and it is only checked at the
> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
> will execute once and decrement len to -1. At that point, the loop will
> proceed until the next invalid address is found; in the process, it will
> likely overflow the pages array passed in to get_user_pages().
>
> I think that, if get_user_pages() has been asked to grab zero pages,
> that's what it should do. Thus this patch; it is, among other things,
> enough to block the (already fixed) root exploit and any others which
> might be lurking in similar code. I also think that the number of pages
> should be unsigned, but changing the prototype of this function probably
> requires some more careful review.
>
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>
> diff --git a/mm/memory.c b/mm/memory.c
> index e5628a5..7f50fd8 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
> mm_struct *mm,
> int i;
> unsigned int vm_flags;
>
> +	if (len <= 0)
> +	return 0;
> /*
> * Require read or write permissions.
> * If 'force' is set, we only require the "MAY" flags.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages()
  2008-02-12  7:46 ` Andrew Morton
@ 2008-02-12 10:35   ` Jiri Kosina
  0 siblings, 0 replies; 9+ messages in thread
From: Jiri Kosina @ 2008-02-12 10:35 UTC (permalink / raw)
  To: Andrew Morton; +Cc: Jonathan Corbet, linux-kernel, torvalds

On Mon, 11 Feb 2008, Andrew Morton wrote:

> > +	if (len <= 0)
> > +		return 0;
> >  	/* 
> >  	 * Require read or write permissions.
> >  	 * If 'force' is set, we only require the "MAY" flags.
> Can we just convert
> 	do {
> 		...
> 	} while (len);
> into
> 	while (len) {
> 		...
> 	}

How would that help?

Rather

	while (len > 0) {
		...
	}

would do the trick.

-- 
Jiri Kosina

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages()
       [not found] ` <9VY4a-1tI-21@gated-at.bofh.it>
@ 2008-02-12  8:34   ` Bodo Eggert
  0 siblings, 0 replies; 9+ messages in thread
From: Bodo Eggert @ 2008-02-12  8:34 UTC (permalink / raw)
  To: Andrew Morton, Jonathan Corbet, linux-kernel, torvalds

Andrew Morton <akpm@linux-foundation.org> wrote:
> On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@lwn.net> wrote:

>> Avoid buffer overflows in get_user_pages()
>> 
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit?  It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>> 
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1.  At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().

[...]

> Can we just convert
> 
> do {
> ...
> } while (len);
> 
> into
> 
> while (len) {

while (len > 0), if I understand this patch correctly.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages()
  2008-02-11 23:17 Jonathan Corbet
  2008-02-11 23:45 ` Nick Piggin
@ 2008-02-12  7:46 ` Andrew Morton
  2008-02-12 10:35   ` Jiri Kosina
  2008-02-14 16:45 ` Oliver Pinter
  2 siblings, 1 reply; 9+ messages in thread
From: Andrew Morton @ 2008-02-12  7:46 UTC (permalink / raw)
  To: Jonathan Corbet; +Cc: linux-kernel, torvalds

On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@lwn.net> wrote:

> Avoid buffer overflows in get_user_pages()
> 
> So I spent a while pounding my head against my monitor trying to figure
> out the vmsplice() vulnerability - how could a failure to check for
> *read* access turn into a root exploit?  It turns out that it's a buffer
> overflow problem which is made easy by the way get_user_pages() is
> coded.
> 
> In particular, "len" is a signed int, and it is only checked at the
> *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
> will execute once and decrement len to -1.  At that point, the loop will
> proceed until the next invalid address is found; in the process, it will
> likely overflow the pages array passed in to get_user_pages().

Sounds convincing.

> I think that, if get_user_pages() has been asked to grab zero pages,
> that's what it should do.  Thus this patch; it is, among other things,
> enough to block the (already fixed) root exploit and any others which
> might be lurking in similar code.  I also think that the number of pages
> should be unsigned, but changing the prototype of this function probably
> requires some more careful review.
> 
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
> 
> diff --git a/mm/memory.c b/mm/memory.c
> index e5628a5..7f50fd8 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
>  	int i;
>  	unsigned int vm_flags;
>  
> +	if (len <= 0)
> +		return 0;
>  	/* 
>  	 * Require read or write permissions.
>  	 * If 'force' is set, we only require the "MAY" flags.

Can we just convert

	do {
		...
	} while (len);

into

	while (len) {
		...
	}

?

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Avoid buffer overflows in get_user_pages()
  2008-02-11 23:17 Jonathan Corbet
@ 2008-02-11 23:45 ` Nick Piggin
  2008-02-12  7:46 ` Andrew Morton
  2008-02-14 16:45 ` Oliver Pinter
  2 siblings, 0 replies; 9+ messages in thread
From: Nick Piggin @ 2008-02-11 23:45 UTC (permalink / raw)
  To: Jonathan Corbet; +Cc: linux-kernel, akpm, torvalds

On Tuesday 12 February 2008 10:17, Jonathan Corbet wrote:
> Avoid buffer overflows in get_user_pages()
>
> So I spent a while pounding my head against my monitor trying to figure
> out the vmsplice() vulnerability - how could a failure to check for
> *read* access turn into a root exploit?  It turns out that it's a buffer
> overflow problem which is made easy by the way get_user_pages() is
> coded.
>
> In particular, "len" is a signed int, and it is only checked at the
> *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
> will execute once and decrement len to -1.  At that point, the loop will
> proceed until the next invalid address is found; in the process, it will
> likely overflow the pages array passed in to get_user_pages().
>
> I think that, if get_user_pages() has been asked to grab zero pages,
> that's what it should do.  Thus this patch; it is, among other things,
> enough to block the (already fixed) root exploit and any others which
> might be lurking in similar code.  I also think that the number of pages
> should be unsigned, but changing the prototype of this function probably
> requires some more careful review.
>
> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
>
> diff --git a/mm/memory.c b/mm/memory.c
> index e5628a5..7f50fd8 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct
> mm_struct *mm, int i;
>  	unsigned int vm_flags;
>
> +	if (len <= 0)
> +		return 0;

BUG_ON()?

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH] Avoid buffer overflows in get_user_pages()
@ 2008-02-11 23:17 Jonathan Corbet
  2008-02-11 23:45 ` Nick Piggin
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Jonathan Corbet @ 2008-02-11 23:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: akpm, torvalds

Avoid buffer overflows in get_user_pages()

So I spent a while pounding my head against my monitor trying to figure
out the vmsplice() vulnerability - how could a failure to check for
*read* access turn into a root exploit?  It turns out that it's a buffer
overflow problem which is made easy by the way get_user_pages() is
coded.

In particular, "len" is a signed int, and it is only checked at the
*end* of a do {} while() loop.  So, if it is passed in as zero, the loop
will execute once and decrement len to -1.  At that point, the loop will
proceed until the next invalid address is found; in the process, it will
likely overflow the pages array passed in to get_user_pages().

I think that, if get_user_pages() has been asked to grab zero pages,
that's what it should do.  Thus this patch; it is, among other things,
enough to block the (already fixed) root exploit and any others which
might be lurking in similar code.  I also think that the number of pages
should be unsigned, but changing the prototype of this function probably
requires some more careful review.

Signed-off-by: Jonathan Corbet <corbet@lwn.net>

diff --git a/mm/memory.c b/mm/memory.c
index e5628a5..7f50fd8 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
 	int i;
 	unsigned int vm_flags;
 
+	if (len <= 0)
+		return 0;
 	/* 
 	 * Require read or write permissions.
 	 * If 'force' is set, we only require the "MAY" flags.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2008-02-14 21:09 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <fa.5jOFf0zR7ZoK3hLDItf3Omow4lE@ifi.uio.no>
     [not found] ` <fa.NNs+hqAlLlf93+yNZ/YJzSyGQbs@ifi.uio.no>
2008-02-12  3:16   ` [PATCH] Avoid buffer overflows in get_user_pages() Robert Hancock
2008-02-12  5:56     ` Nick Piggin
     [not found] <9VQ6w-5Xn-7@gated-at.bofh.it>
     [not found] ` <9VY4a-1tI-21@gated-at.bofh.it>
2008-02-12  8:34   ` Bodo Eggert
2008-02-11 23:17 Jonathan Corbet
2008-02-11 23:45 ` Nick Piggin
2008-02-12  7:46 ` Andrew Morton
2008-02-12 10:35   ` Jiri Kosina
2008-02-14 16:45 ` Oliver Pinter
2008-02-14 21:09   ` Jonathan Corbet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).