• Laura Abbott's avatar
    mm: usercopy: Check for module addresses · aa4f0601
    Laura Abbott authored
    While running a compile on arm64, I hit a memory exposure
    
    usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes)
    ------------[ cut here ]------------
    kernel BUG at mm/usercopy.c:75!
    Internal error: Oops - BUG: 0 [#1] SMP
    Modules linked in: ip6t_rpfilter ip6t_REJECT
    nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp
    llc ebtable_nat ip6table_security ip6table_raw ip6table_nat
    nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
    iptable_security iptable_raw iptable_nat nf_conntrack_ipv4
    nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle
    ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac
    xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma
    mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd
    auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan
    sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys
    CPU: 0 PID: 19744 Comm: updatedb Tainted: G        W 4.8.0-rc3-threadinfo+ #1
    Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016
    task: fffffe03df944c00 task.stack: fffffe00d128c000
    PC is at __check_object_size+0x70/0x3f0
    LR is at __check_object_size+0x70/0x3f0
    ...
    [<fffffc00082b4280>] __check_object_size+0x70/0x3f0
    [<fffffc00082cdc30>] filldir64+0x158/0x1a0
    [<fffffc0000f327e8>] __fat_readdir+0x4a0/0x558 [fat]
    [<fffffc0000f328d4>] fat_readdir+0x34/0x40 [fat]
    [<fffffc00082cd8f8>] iterate_dir+0x190/0x1e0
    [<fffffc00082cde58>] SyS_getdents64+0x88/0x120
    [<fffffc0008082c70>] el0_svc_naked+0x24/0x28
    
    fffffc0000f3b1a8 is a module address. Modules may have compiled in
    strings which could get copied to userspace. In this instance, it
    looks like "." which matches with a size of 1 byte. Extend the
    is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover
    all possible cases.
    Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    aa4f0601
usercopy.c 7.73 KB