mm/memory.c: actually remap enough memory

For whatever reason, generic_access_phys() only remaps one page, but actually allows to access arbitrary size. It's quite easy to trigger large reads, like printing out large structure with gdb, which leads to a crash. Fix it by remapping correct size. Fixes: 28b2ee20c7cb ("access_process_vm device memory infrastructure") Signed-off-by: Grazvydas Ignotas <notasas@gmail.com> Cc: Rik van Riel <riel@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

mm/memory.c: actually remap enough memory
For whatever reason, generic_access_phys() only remaps one page, but actually allows to access arbitrary size. It's quite easy to trigger large reads, like printing out large structure with gdb, which leads to a crash. Fix it by remapping correct size. Fixes: 28b2ee20c7cb ("access_process_vm device memory infrastructure") Signed-off-by: Grazvydas Ignotas <notasas@gmail.com> Cc: Rik van Riel <riel@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Grazvydas Ignotas · Linus Torvalds · Eric Lee · Eric Lee
1 parent 8f4ab07f4b
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
mm/memory.c
@@ -3462,7 +3462,7 @@
 	if (follow_phys(vma, addr, write, &prot, &phys_addr))
 		return -EINVAL;
  
-	maddr = ioremap_prot(phys_addr, PAGE_SIZE, prot);
+	maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
 	if (write)
 		memcpy_toio(maddr + offset, buf, len);
 	else
...	...	@@ -3462,7 +3462,7 @@
3462	3462	if (follow_phys(vma, addr, write, &prot, &phys_addr))
3463	3463	return -EINVAL;
3464	3464
3465		- maddr = ioremap_prot(phys_addr, PAGE_SIZE, prot);
	3465	+ maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
3466	3466	if (write)
3467	3467	memcpy_toio(maddr + offset, buf, len);
3468	3468	else