mm: prevent mapping slab pages to userspace
It's never appropriate to map a page allocated by SLAB into userspace. A buggy device driver might try this, or an attacker might be able to find a way to make it happen. Christoph said: : Let's just fail the code. Currently this may work with SLUB. But SLAB : and SLOB overlay fields with mapcount. So you would have a corrupted page : struct if you mapped a slab page to user space. Link: http://lkml.kernel.org/r/20190125173827.2658-1-willy@infradead.org Signed-off-by: Matthew Wilcox <willy@infradead.org> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Pekka Enberg <penberg@kernel.org> Cc: Rik van Riel <riel@surriel.com> Cc: Christoph Lameter <cl@linux.com> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
afd07389d3
commit
2d432cb709
|
@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
|
|||
spinlock_t *ptl;
|
||||
|
||||
retval = -EINVAL;
|
||||
if (PageAnon(page))
|
||||
if (PageAnon(page) || PageSlab(page))
|
||||
goto out;
|
||||
retval = -ENOMEM;
|
||||
flush_dcache_page(page);
|
||||
|
|
Loading…
Reference in New Issue