Differential D25328

Add a helper function for validating VA ranges.
ClosedPublic
Actions

Authored by markj on Jun 17 2020, 6:30 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Oct 19 2024, 2:01 PM

	Unknown Object (File)
	Oct 8 2024, 5:49 AM

	Unknown Object (File)
	Sep 11 2024, 6:30 PM

	Unknown Object (File)
	Sep 10 2024, 8:23 PM

	Unknown Object (File)
	Sep 8 2024, 9:49 PM

	Unknown Object (File)
	Sep 8 2024, 10:46 AM

	Unknown Object (File)
	Sep 8 2024, 7:41 AM

	Unknown Object (File)
	Sep 5 2024, 7:08 AM

View All 44 Files

Subscribers

Details

Reviewers

alc
kib
dougm

Commits

rS362361: Add a helper function for validating VA ranges.

Summary

Functions which take untrusted user ranges must validate against the
bounds of the map, and also check for wraparound. Instead of having the
same logic duplicated in a number of places, add a function to check.

This somewhat duplicates the VM_MAP_RANGE_CHECK macro, which does not in
fact do any checking but rather clips the range based on the map bounds.
Some functions (like kern_mprotect()) rely on this, while others
(kern_madvise()) do not. As a future step I think we should add such
checking to all syscall paths, and convert VM_MAP_RANGE_CHECK to
assert the validity of the range.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj requested review of this revision.Jun 17 2020, 6:30 PM

markj created this revision.

markj added reviewers: alc, kib, dougm.Jun 17 2020, 6:42 PM

Harbormaster completed remote builds in B31780: Diff 73232.Jun 18 2020, 9:20 AM

kib added inline comments.Jun 18 2020, 2:38 PM

sys/vm/vm_map.h
262 ↗	(On Diff #73232)	At least the code in vm_map.c does <= check there. I think it visibly changes the user error code.

markj added inline comments.Jun 18 2020, 2:45 PM

sys/vm/vm_map.h
262 ↗	(On Diff #73232)	That case is weird. Note it checks addr + length <= length, not <= addr. So it is just checking for overflow, not for length == 0. I'm not sure if it is intended or not.

kib accepted this revision.Jun 18 2020, 5:12 PM

This revision is now accepted and ready to land.Jun 18 2020, 5:12 PM

dougm added inline comments.Jun 18 2020, 5:17 PM

sys/vm/vm_map.c
1619 ↗	(On Diff #73232)	Why is this test different from the others?

markj added inline comments.Jun 18 2020, 5:18 PM

sys/vm/vm_map.c
1619 ↗	(On Diff #73232)	I just missed it.

See also vm_fault_quick_hold_pages in vm_fault.c.

Add a few more checks.

This revision now requires review to proceed.Jun 18 2020, 9:40 PM

Herald added a subscriber: emaste. · View Herald TranscriptJun 18 2020, 9:40 PM

Harbormaster completed remote builds in B31812: Diff 73295.Jun 18 2020, 9:40 PM

In D25328#558903, @dougm wrote:

See also vm_fault_quick_hold_pages in vm_fault.c.

Thanks. I also converted a similar check in the LinuxKPI.

kib accepted this revision.Jun 18 2020, 10:05 PM

This revision is now accepted and ready to land.Jun 18 2020, 10:05 PM

dougm accepted this revision.Jun 18 2020, 10:40 PM

dougm added inline comments.

sys/vm/vm_map.h
260 ↗	(On Diff #73295)	vm_map_valid_range sounds more boolean. A non-blocking suggestion.

markj added inline comments.Jun 19 2020, 3:28 AM

sys/vm/vm_map.h
260 ↗	(On Diff #73295)	I think that sounds better. vm_map_range_valid() seems a bit more natural to me, so I will go with that.

Closed by commit rS362361: Add a helper function for validating VA ranges. (authored by markj). · Explain WhyJun 19 2020, 3:32 AM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rS362361: Add a helper function for validating VA ranges..

Herald added a subscriber: imp. · View Herald TranscriptJun 19 2020, 3:32 AM

alc added inline comments.Jun 19 2020, 5:09 AM

head/sys/compat/linuxkpi/common/src/linux_page.c
222	This assignment is pointless. See below.

Revision Contents
Changeset List

Path

Size

head/

sys/

compat/

linuxkpi/

common/

src/

2 lines

vm/

5 lines

11 lines

12 lines

25 lines

Diff 73311

head/sys/compat/linuxkpi/common/src/linux_page.c

Loading...

head/sys/vm/vm_fault.c

Loading...

head/sys/vm/vm_map.h

Loading...

head/sys/vm/vm_map.c

Loading...

head/sys/vm/vm_mmap.c

Loading...