fs/proc/kcore.c: fix invalid memory access in multi-page read optimization

martinetd · gregkh · commit a1b3d2f217cf · 2018-09-20T22:01:11.000+02:00
The 'm' kcore_list item could point to kclist_head, and it is incorrect to look at m->addr / m->size in this case. There is no choice but to run through the list of entries for every address if we did not find any entry in the previous iteration Reset 'm' to NULL in that case at Omar Sandoval's suggestion. [akpm@linux-foundation.org: add comment] Link: http://lkml.kernel.org/r/1536100702-28706-1-git-send-email-asmadeus@codewreck.org Fixes: bf991c2 ("proc/kcore: optimize multiple page reads") Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Omar Sandoval <osandov@osandov.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: James Morse <james.morse@arm.com> Cc: Bhupesh Sharma <bhsharma@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
@@ -464,6 +464,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 				ret = -EFAULT;
 				goto out;
 			}
+			m = NULL;	/* skip the list anchor */
 		} else if (m->type == KCORE_VMALLOC) {
 			vread(buf, (char *)start, tsz);
 			/* we have to zero-fill user buffer even if no read */

Original file line number	Diff line number	Diff line change
`@@ -464,6 +464,7 @@ read_kcore(struct file file, char __user buffer, size_t buflen, loff_t *fpos)`
`464`	`464`	`ret = -EFAULT;`
`465`	`465`	`goto out;`
`466`	`466`	`}`
	`467`	`+ m = NULL; /* skip the list anchor */`
`467`	`468`	`} else if (m->type == KCORE_VMALLOC) {`
`468`	`469`	`vread(buf, (char *)start, tsz);`
`469`	`470`	`/* we have to zero-fill user buffer even if no read */`