From patchwork Mon Nov 11 19:34:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13871184 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF45BD3ABF3 for ; Mon, 11 Nov 2024 19:35:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 256516B009B; Mon, 11 Nov 2024 14:35:08 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2056F6B009C; Mon, 11 Nov 2024 14:35:08 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0634C6B009D; Mon, 11 Nov 2024 14:35:07 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id D7B826B009B for ; Mon, 11 Nov 2024 14:35:07 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 8C12D160CB3 for ; Mon, 11 Nov 2024 19:35:06 +0000 (UTC) X-FDA: 82774816152.26.AFAE15A Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by imf04.hostedemail.com (Postfix) with ESMTP id ADA854001C for ; Mon, 11 Nov 2024 19:34:12 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=vzfStTjp; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf04.hostedemail.com: domain of jannh@google.com designates 209.85.167.53 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1731353529; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Y/t3JbccJVG0OeXi5yzmGti0muJW9xHWmBUgKUa5FgE=; b=e3HDcLN3ehPqYqE9M8wZUUnV2mtcoqJ3GUNBVshSEhzsXwO1rbL7iYTr6llkrNHzKtjnOh FVoSEc/kTflvScXzRl8zNZ52mJTC0FtVWL9C4kJwOtZAiv1VByNjzcS3zJqyopuPlx9j4T XMtNB4OdFR5LRrpk9ixq9gDmsOopk5M= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=vzfStTjp; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf04.hostedemail.com: domain of jannh@google.com designates 209.85.167.53 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731353529; a=rsa-sha256; cv=none; b=591/UEhbpcNu2k8CcIJbwUVZX8xhhZOusm+dz+l49hV6IKvPTGIMulbps3Nn4J5lmmAE+v 42LJ3bTYn6WsGfTmQwuXUCMRV1waJCJsinyLqXf3GhRDYWXokkMeOVRUmSlQkamrTVWvur c42n6zQN+1jSbO2qHWHSe3SBac6rIUk= Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-539e66ba398so3039e87.0 for ; Mon, 11 Nov 2024 11:35:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1731353703; x=1731958503; darn=kvack.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=Y/t3JbccJVG0OeXi5yzmGti0muJW9xHWmBUgKUa5FgE=; b=vzfStTjpMf5Anql4IUf4/cT/V5vryYQhacp4WSpd6zHf6+0qwShGc/Ms8HvpkRvyf/ rf5tNO7ZUfnQz3dwPRsvP520Lh4Xg8UuPnc/9hmBnywn2mc1S0AZu8s4SCb0JW7Si/sJ c3vcAOiw0avctcOgXkPttiEFddMF/EmKPnvGkHNpFjxAjNr7c4epBLlislxPodg02kYm WFiW+NNMMQx1myEhZZU6b0n0jPOzZsq6Mqf0o4gJ9ECGKfOGVIULrT1/OvSntrGaVHBh 0Uci2p1UwTLGX+mhh2JLQ6j3T1JlxTTHfIgfTzB0lBNe+VvqoHthAK2oJCanLRhpeY3+ U0og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731353703; x=1731958503; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Y/t3JbccJVG0OeXi5yzmGti0muJW9xHWmBUgKUa5FgE=; b=gDWyW7YJiV2zMv3vnZnLruH2aTIw6wicLhU+XzbbqwsLul15+iF5YYJz11fl3iPEVA FiJoaIGIXQuo5TzeLUPtdlvLcS4MT1IJ872X8aj40H/Xzjdzuifx8ECjjSeaDdbRbG7h Khl0FL5qDNjhbJnBt7L0dGpSQDJ61U+MW5Zf0O+tk0ls9ecrLnNMGPNf84+Aodz6KfgE QkjmDDW7wMtQfPAo9HCI516dfemM7sHx4QpzDdG3Folj3w4vlwlYkQ2dpoZIGG/3VsoX 8B7pzHBEvJfibPZML170jNIBiwT2+IUVA7k6xvp7Y2k9n52wBadVo6K8aPNfmNap3qNR Szjw== X-Forwarded-Encrypted: i=1; AJvYcCUII6laUhSLTZUC3Gcd923lJT2lrpYb32mNGYvZ+A91mB2feQMA+Ti4DBTEVfldUG0h/42xmL/iwg==@kvack.org X-Gm-Message-State: AOJu0Yzef4rr0QKWcthWWMkskoOy+/WDNF2YeumdeYBSc2t4pO9ZTtjE +MrlxXSLnwxUEB4cptSJwbDegXwrxLxsIMakV6Bp0esi2dT2tvmW+AMLilCZLQ== X-Gm-Gg: ASbGncul6nrCPsXbNo9eDRBJiDrOTHw81d4HxJLv9KPzUZw4rMe/nVPzFmbkIkW92Ct /N+zfFSjVwK4UOYqqjtSQao8OxbXOj2vxmzmcBL0+bsK7OlaKvCw6yslWzfc9jdJhggmOoFfO43 7aBu5/hJp8X6C3yx6KZGoYjMgVETtvPYEkpwVpfOxfHLwLP5U6OPcRvpC+eQyQujF0zBlqKrr4z oxy9ts33luKJxli93A8CyYQo+pwqi0dArnaGw== X-Google-Smtp-Source: AGHT+IEYtnWUZtOotkCC9UDjB614pbuOxRlJ4R9dN6eWksTxKY9YMzMVqGKgp7r2IgwlypAlwfFzBg== X-Received: by 2002:a05:6512:516:b0:539:e436:f1d1 with SMTP id 2adb3069b0e04-53d99faf48cmr35251e87.1.1731353702234; Mon, 11 Nov 2024 11:35:02 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:b587:e083:b8a:f21f]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-381eda137dbsm13395338f8f.110.2024.11.11.11.35.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Nov 2024 11:35:01 -0800 (PST) From: Jann Horn Date: Mon, 11 Nov 2024 20:34:30 +0100 Subject: [PATCH] mm/mremap: Fix address wraparound in move_page_tables() MIME-Version: 1.0 Message-Id: <20241111-fix-mremap-32bit-wrap-v1-1-61d6be73b722@google.com> X-B4-Tracking: v=1; b=H4sIAEVcMmcC/x2MSQqAQAwEvyI5G5hFGfAr4sElozm4kBEVZP5us E9dUN0vJBKmBE3xgtDFifdNwZYFjEu/zYQ8KYMzrrIajPzgKrT2B3o38Im3aA1VsKYO3kRnQLe HkIr/b9vl/AFUPVKaZwAAAA== X-Change-ID: 20241111-fix-mremap-32bit-wrap-747105730f20 To: Andrew Morton Cc: "Joel Fernandes (Google)" , Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1731353678; l=3300; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=Fmd0jt4SVTzXXEqmiBXZpbtRp+OYwS2QYiUg6wHbaaE=; b=HKCWM0hlpVeSuOWbSBaUNdSpn15E0S6vPZEnDHTJTEQlWcs/a32DNfXc1e/gIeCZn3MqatVsA qEDUbOvWDhjBQIFa4NOxnjBZymQeDehMmV+6XlaEn0n2ai+pHfK2yW0 X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: ADA854001C X-Stat-Signature: tz8sba4jxgbom41xanf3myckicuwanz9 X-Rspam-User: X-HE-Tag: 1731353652-219013 X-HE-Meta: U2FsdGVkX18bnwl9vRwyFDXR6neIYnypR+fBkWs8DG2tzBvte41o7goNqdS3X6lZ28GYx8KyqeaESs4aEo4kEhLxE5ZvDT2nI0Bzmiy/gtDI1UA+H6LhkS7z2Ic/+NgBlQbr+/0i+oRHOh/9/DTs4Nl0lBsr0npjCTZOc1w4s+cHedkRIA6wblvRf/bYm/5NSGXnm6aL44mL+Q5x4Cx9GZYDPIWEK7h3wGC5k7lrPFkW0SBwoKrW/Ft3llQFxBJhzGtWbFuIXT/qcA/jizI1hh6yFrO3wl1l/XnqgSDwkfWvg2G2QutMQHjm/v/+5kSbJ+g5XQIgv4gpWLi68XSWr80cHV77+Hb/TsYlg+2HsIsSHkFwezFWPbsocB5Q9/KvG2vpYI3+KGgex0ViYGceJNSXe5p/nzlJYgW1+xlfwvcNVz4UrqHncZTHOfZVK2Qmeja2H3d0y60Qao2fjWzfu1EZXRvmQo7Iob5Y1ymA2ApjRq3gVgXCMxldDxGKT/Qm3cG7UkxvqFPa1KqTUZ5YN/2c2vgos5pNGud1u1B7EhQHtcmJ0ELYtzhDNQ7ue6XnvrgsV6U+l+DOuS4sVnUs+x64l+d7gZF8GCGz8BDPd3GnzpnamVy0+zd5qNJUh7GMIkKKmEnuE7t02qphJRZ1diWhbSJpvcxQYmMYPAxJxP8USzlRcyustAbbHUsvbdyXPr8w52zNMa89IZWUPPczFPK2iIX5SHFn45huJayElNaLEI20+7+m98xYk3xwH/dznLA8KxlV9wX6lhA0euH2/SEjMURKH9U5sIUwR7TT5hkYFFXALk29sCcgY2u0IA9zy3FV0e4Fh1TUB80pmSCzVOTWofYQ+W1U4q3SE32yR2Z5VLWet8ty4pUmHPAhcebhmJA7nkyPaZJNfayuU8CiMZw3B4m0Tjlfd/IiKv9sqOZWp4bKavKs9Q9oGhKcIVyPtdBci+fyy7l3KDu5RER Z1dmhDSO qiEDanyCD3asNOJum7H7M/f0cRbwN2+dheLwBEdz9e5i+asheEAQMeqNYO4kHEg2LSLZv0NMUlPZEs742D7BEpnyKHMhwlzdwvi75/547C7VcZ1KFXGXEDk3VhD2aNnhY/9P6q3gmXDjovsWG71JMhuW5nMPr9d+LswvTP6A13DDwiw0ybphHwxZDpxKsNUDXoQXekzqrqlB0d0++M9mCDYIS0jZucTDxhqb43AH5+OwTkLV+y/SXmnwgBwDmSAkZMmIdQfBUa/imesGsVQUMJgRWNvMWOfsAyixMk8AqI5oI8GPjCia5JzfsRl7yJxK/9BfEVyvuTgIo4EIkIqUxRaLeMGDg68/bFEZMris/KXx4sxPb+QUqaYLOPFetGloa+nb901L6KDnIpIQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 32-bit platforms, it is possible for the expression `len + old_addr < old_end` to be false-positive if `len + old_addr` wraps around. `old_addr` is the cursor in the old range up to which page table entries have been moved; so if the operation succeeded, `old_addr` is the *end* of the old region, and adding `len` to it can wrap. The overflow causes mremap() to mistakenly believe that PTEs have been copied; the consequence is that mremap() bails out, but doesn't move the PTEs back before the new VMA is unmapped, causing anonymous pages in the region to be lost. So basically if userspace tries to mremap() a private-anon region and hits this bug, mremap() will return an error and the private-anon region's contents appear to have been zeroed. The idea of this check is that `old_end - len` is the original start address, and writing the check that way also makes it easier to read; so fix the check by rearranging the comparison accordingly. (An alternate fix would be to refactor this function by introducing an "orig_old_start" variable or such.) Cc: stable@vger.kernel.org Fixes: af8ca1c14906 ("mm/mremap: optimize the start addresses in move_page_tables()") Signed-off-by: Jann Horn Reviewed-by: Liam R. Howlett Acked-by: Qi Zheng Reviewed-by: Lorenzo Stoakes Acked-by: Vlastimil Babka --- Tested in a VM with a 32-bit X86 kernel; without the patch: ``` user@horn:~/big_mremap$ cat test.c #define _GNU_SOURCE #include #include #include #include #define ADDR1 ((void*)0x60000000) #define ADDR2 ((void*)0x10000000) #define SIZE 0x50000000uL int main(void) { unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p1 == MAP_FAILED) err(1, "mmap 1"); unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p2 == MAP_FAILED) err(1, "mmap 2"); *p1 = 0x41; printf("first char is 0x%02hhx\n", *p1); unsigned char *p3 = mremap(p1, SIZE, SIZE, MREMAP_MAYMOVE|MREMAP_FIXED, p2); if (p3 == MAP_FAILED) { printf("mremap() failed; first char is 0x%02hhx\n", *p1); } else { printf("mremap() succeeded; first char is 0x%02hhx\n", *p3); } } user@horn:~/big_mremap$ gcc -static -o test test.c user@horn:~/big_mremap$ setarch -R ./test first char is 0x41 mremap() failed; first char is 0x00 ``` With the patch: ``` user@horn:~/big_mremap$ setarch -R ./test first char is 0x41 mremap() succeeded; first char is 0x41 ``` --- mm/mremap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- base-commit: 2d5404caa8c7bb5c4e0435f94b28834ae5456623 change-id: 20241111-fix-mremap-32bit-wrap-747105730f20 diff --git a/mm/mremap.c b/mm/mremap.c index dda09e957a5d4c2546934b796e862e5e0213b311..dee98ff2bbd64439200dddac16c4bd054537c2ed 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -648,7 +648,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma, * Prevent negative return values when {old,new}_addr was realigned * but we broke out of the above loop for the first PMD itself. */ - if (len + old_addr < old_end) + if (old_addr < old_end - len) return 0; return len + old_addr - old_end; /* how much done */