Skip to content

Commit

Permalink
mm: prevent mapping slab pages to userspace
Browse files Browse the repository at this point in the history 
It's never appropriate to map a page allocated by SLAB into userspace.
A buggy device driver might try this, or an attacker might be able to
find a way to make it happen.

Christoph said:

: Let's just fail the code.  Currently this may work with SLUB.  But SLAB
: and SLOB overlay fields with mapcount.  So you would have a corrupted page
: struct if you mapped a slab page to user space.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Matthew Wilcox <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Acked-by: Pekka Enberg <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Christoph Lameter <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Joonsoo Kim <[email protected]>
Cc: Michael Ellerman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@torvalds
Matthew Wilcox authored and torvalds committed Mar 6, 2019
1 parent afd0738 commit 2d432cb
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion mm/memory.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
spinlock_t *ptl;

retval = -EINVAL;
if (PageAnon(page))
if (PageAnon(page) || PageSlab(page))
goto out;
retval = -ENOMEM;
flush_dcache_page(page);
Expand Down

0 comments on commit 2d432cb

Please sign in to comment.