• Craig Bergstrom's avatar
    x86/mm: Limit mmap() of /dev/mem to valid physical addresses · be62a320
    Craig Bergstrom authored
    One thing /dev/mem access APIs should verify is that there's no way
    that excessively large pfn's can leak into the high bits of the
    page table entry.
    
    In particular, if people can use "very large physical page addresses"
    through /dev/mem to set the bits past bit 58 - SOFTW4 and permission
    key bits and NX bit, that could *really* confuse the kernel.
    
    We had an earlier attempt:
    
      ce56a86e ("x86/mm: Limit mmap() of /dev/mem to valid physical addresses")
    
    ... which turned out to be too restrictive (breaking mem=... bootups for example) and
    had to be reverted in:
    
      90edaac6 ("Revert "x86/mm: Limit mmap() of /dev/mem to valid physical addresses"")
    
    This v2 attempt modifies the original patch and makes sure that mmap(/dev/mem)
    limits the pfns so that it at least fits in the actual pteval_t architecturally:
    
     - Make sure mmap_mem() actually validates that the offset fits in phys_addr_t
    
        ( This may be indirectly true due to some other check, but it's not
          entirely obvious. )
    
     - Change valid_mmap_phys_addr_range() to just use phys_addr_valid()
       on the top byte
    
        ( Top byte is sufficient, because mmap_mem() has already checked that
          it cannot wrap. )
    
     - Add a few comments about what the valid_phys_addr_range() vs.
       valid_mmap_phys_addr_range() difference is.
    Signed-off-by: default avatarCraig Bergstrom <craigb@google.com>
    [ Fixed the checks and added comments. ]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    [ Collected the discussion and patches into a commit. ]
    Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Cc: Fengguang Wu <fengguang.wu@intel.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Hans Verkuil <hans.verkuil@cisco.com>
    Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sander Eikelenboom <linux@eikelenboom.it>
    Cc: Sean Young <sean@mess.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/CA+55aFyEcOMb657vWSmrM13OxmHxC-XxeBmNis=DwVvpJUOogQ@mail.gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    be62a320
mem.c 19.9 KB