Hi Mathieu,
On (10/10/18 15:19), Mathieu Desnoyers wrote:
[..]
> +SYSCALL_DEFINE4(cpu_opv, struct cpu_op __user *, ucpuopv, int, cpuopcnt,
> + int, cpu, int, flags)
> +{
[..]
> +again:
> + ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
> + if (ret)
> + goto end;
> + ret = do_cpu_opv(cpuopv, cpuopcnt, &vaddr_ptrs, cpu);
> + if (ret == -EAGAIN)
> + retry = true;
> +end:
> + for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
> + struct vaddr *vaddr = &vaddr_ptrs.addr[i];
> + int j;
> +
> + vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
A dumb question.
Both vm_unmap_user_ram() and vm_map_user_ram() can BUG_ON().
So this is
userspace -> syscall -> cpu_opv() -> vm_unmap_user_ram() -> BUG_ON()
Any chance someone can exploit it?
-ss
