Google Git
Sign in
chromium / chromiumos / third_party / kernel / cc9cec492660a4cbcd202fd6c448f316d006ab63
commitcc9cec492660a4cbcd202fd6c448f316d006ab63[log] [tgz]
authorDaniel Kurtz <[email protected]>Wed Feb 21 21:52:04 2018
committerchrome-bot <[email protected]>Thu Feb 22 06:26:56 2018
tree8ce5116d113f8fbfabf858cef4b5d179b50cb68c
parent44c67616678e96b4e2bf05dbf5f1641c74115d2b [diff]
BACKPORT: x86/mm: Limit mmap() of /dev/mem to valid physical addresses

One thing /dev/mem access APIs should verify is that there's no way
that excessively large pfn's can leak into the high bits of the
page table entry.

In particular, if people can use "very large physical page addresses"
through /dev/mem to set the bits past bit 58 - SOFTW4 and permission
key bits and NX bit, that could *really* confuse the kernel.

We had an earlier attempt:

  ce56a86e2ade ("x86/mm: Limit mmap() of /dev/mem to valid physical addresses")

... which turned out to be too restrictive (breaking mem=... bootups for example) and
had to be reverted in:

  90edaac62729 ("Revert "x86/mm: Limit mmap() of /dev/mem to valid physical addresses"")

This v2 attempt modifies the original patch and makes sure that mmap(/dev/mem)
limits the pfns so that it at least fits in the actual pteval_t architecturally:

 - Make sure mmap_mem() actually validates that the offset fits in phys_addr_t

    ( This may be indirectly true due to some other check, but it's not
      entirely obvious. )

 - Change valid_mmap_phys_addr_range() to just use phys_addr_valid()
   on the top byte

    ( Top byte is sufficient, because mmap_mem() has already checked that
      it cannot wrap. )

 - Add a few comments about what the valid_phys_addr_range() vs.
   valid_mmap_phys_addr_range() difference is.

Signed-off-by: Craig Bergstrom <[email protected]>
[ Fixed the checks and added comments. ]
Signed-off-by: Linus Torvalds <[email protected]>
[ Collected the discussion and patches into a commit. ]
Cc: Boris Ostrovsky <[email protected]>
Cc: Fengguang Wu <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Hans Verkuil <[email protected]>
Cc: Mauro Carvalho Chehab <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Sander Eikelenboom <[email protected]>
Cc: Sean Young <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/CA+55aFyEcOMb657vWSmrM13OxmHxC-XxeBmNis=DwVvpJUOogQ@mail.gmail.com
Signed-off-by: Ingo Molnar <[email protected]>
(cherry picked from commit be62a32044061cb4a3b70a10598e093f1319102e)
Signed-off-by: Daniel Kurtz <[email protected]>
[djkurtz: Ignoring context diff due to chromeos-4.14 lacking:
 1e0f25dbf246 x86/mm: Prevent non-MAP_FIXED mapping across DEFAULT_MAP_WINDOW border
]

BUG=b:66966804
TEST=pagemash (from b:66966804)

Change-Id: I43ead5c50a154c5430736a43b1cb04461dda75be
Reviewed-on: https://chromium-review.googlesource.com/930170
Commit-Ready: Daniel Kurtz <[email protected]>
Tested-by: Daniel Kurtz <[email protected]>
Reviewed-by: Craig Bergstrom <[email protected]>
3 files changed
tree: 8ce5116d113f8fbfabf858cef4b5d179b50cb68c
  1. arch/
  2. block/
  3. certs/
  4. chromeos/
  5. crypto/
  6. Documentation/
  7. drivers/
  8. firmware/
  9. fs/
  10. include/
  11. init/
  12. ipc/
  13. kernel/
  14. lib/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COMMIT-QUEUE.ini
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. PRESUBMIT.cfg
  37. README