Re: [PATCH 1/2] setup_arg_pages can insert overlapping vma

From: Chris Wright <>
Date: 2004-11-25 07:38:32
* Zou, Nanhai ( wrote:
>  <<ia64-vm-overlap.tar.gz>>  <<vma-overlap-fix.patch>> I think ia64 ia32
> subsystem is not vulnerable to this kind of overlapping vm problem,
> because it does not support a.out binary format, 

I am able to map a section over the arg pages, and for some reason this
case segfaults (in the application).  Disassembly shows garbage left
behind in that page.  AFAICT, this can only cause the app to segfault in

> X84_64 is vulnerable to this. 
> just do a 
> perl -e'print"\x07\x01".("\x00"x10)."\x00\xe0\xff\xff".("\x00"x16)'>
> evilaout
> you will get it.
> and IA64 is also vulnerable to this kind of bug in 64 bit elf support,
> it just insert a vma of zero page without checking overlap, so user can
> construct a elf with section begin from 0x0 to trigger this BUGON().I
> attach a testcase to trigger this bug

Yes, I was able to reproduce a similar bug last night on ia64 by placing
a 1k section at 0x1000, and this patch indeed fixes it up.

> I don't know what about s390. However, I think it's safe to check
> overlap before we actually insert a vma into vma list.
> And I also feel check vma overlap everywhere is unnecessary, because
> invert_vm_struct will check it again, so the check is duplicated. It's
> better to have invert_vm_struct return a value then let caller check if
> it successes.

Yes I agree.  That's the question I asked early on.  With no answer I
took defensive route to be sure the BUG() wasn't there for some valid
reason I was missing.  This looks better.

Linux Security Modules
To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
the body of a message to
More majordomo info at
Received on Wed Nov 24 15:40:48 2004

This archive was generated by hypermail 2.1.8 : 2005-08-02 09:20:32 EST