Skip to content

Commit ce56a86

Browse files
Craig BergstromIngo Molnar
Craig Bergstrom
authored and
Ingo Molnar
committed
x86/mm: Limit mmap() of /dev/mem to valid physical addresses
Currently, it is possible to mmap() any offset from /dev/mem. If a program mmaps() /dev/mem offsets outside of the addressable limits of a system, the page table can be corrupted by setting reserved bits. For example if you mmap() offset 0x0001000000000000 of /dev/mem on an x86_64 system with a 48-bit bus, the page fault handler will be called with error_code set to RSVD. The kernel then crashes with a page table corruption error. This change prevents this page table corruption on x86 by refusing to mmap offsets higher than the highest valid address in the system. Signed-off-by: Craig Bergstrom <craigb@google.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Toshi Kani <toshi.kani@hp.com> Cc: dsafonov@virtuozzo.com Cc: kirill.shutemov@linux.intel.com Cc: mhocko@suse.com Cc: oleg@redhat.com Link: http://lkml.kernel.org/r/20171019192856.39672-1-craigb@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
1 parent 7ac7f2c commit ce56a86

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

arch/x86/include/asm/io.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,10 @@ build_mmio_write(__writeq, "q", unsigned long, "r", )
110110

111111
#endif
112112

113+
#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
114+
extern int valid_phys_addr_range(phys_addr_t addr, size_t size);
115+
extern int valid_mmap_phys_addr_range(unsigned long pfn, size_t size);
116+
113117
/**
114118
* virt_to_phys - map virtual addresses to physical
115119
* @address: address to remap

arch/x86/mm/mmap.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,3 +174,15 @@ const char *arch_vma_name(struct vm_area_struct *vma)
174174
return "[mpx]";
175175
return NULL;
176176
}
177+
178+
int valid_phys_addr_range(phys_addr_t addr, size_t count)
179+
{
180+
return addr + count <= __pa(high_memory);
181+
}
182+
183+
int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
184+
{
185+
phys_addr_t addr = (phys_addr_t)pfn << PAGE_SHIFT;
186+
187+
return valid_phys_addr_range(addr, count);
188+
}

0 commit comments

Comments
 (0)