Hi Alexei, I recently noticed that the verifier_arena_large selftest would fail on the overflow and underflow section for 64k page size kernels. After a deeper investigation, the similar issue is also reproducible on 4k page size over both x86 and aarch64 platforms. The root reason of this failure looks to be a failed or missing check of the pointer upper 32-bit from the user space. User space could access the arena space value even the pointer is not in the assigned user space pointer range. For example, if the user_vm_start is 7f7d26200000 and arena size is 4G (end upper bound is 7f7e26200000), when I set *(7f7e26200000 - 65536) = 20, I could also get the value of (7f7d26200000 - 65536) as 20. It should be 0 if that is out of the range. Could you please take a look at this issue? Or could you please point me where is the place doing the address translation and I could try to provide a patch for this? Thank you very much. Yifei Methods on reproduce: 1. Use a 64k page size arm based kernel and run verifier_arena_large selftest, it would failed on return 12 and 13. Or 2. Use a 4k page size arm or x86 kernel, set the page2 start address to be base + ARENA_SIZE - PAGE_SIZE*16 and also check if (*(page1 - PAGE_SIZE) != 0) for return 12.
