lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 10 Nov 2008 16:43:59 +0800
From:	"wzt wzt" <wzt.wzt@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: Is it a bug with __get_vm_area_node?

the __get_vm_area_node() doesn't check the  parameter start and end.

__get_vm_area_node() called by __get_vm_area(), its a export function.

If some drivers pass a bad value to start, such as 0.  it will
something wrong with vmlist.


static struct vm_struct *
__get_vm_area_node(unsigned long size, unsigned long flags, unsigned long start,
                unsigned long end, int node, gfp_t gfp_mask, void *caller)
{

...

        write_lock(&vmlist_lock);
        for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
                if ((unsigned long)tmp->addr < addr) {
                        if((unsigned long)tmp->addr + tmp->size >= addr)
                                addr = ALIGN(tmp->size +
                                             (unsigned long)tmp->addr, align);
                        continue;
                }
                if ((size + addr) < addr)
                        goto out;
                if (size + addr <= (unsigned long)tmp->addr)     // if
addr is 0, the loop will be immediately break.
                        goto found;
                addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
                if (addr > end - size)
                        goto out;
        }
        if ((size + addr) < addr)
                goto out;
        if (addr > end - size)
                goto out;

// if addr is 0,  it will be add a trash vm_struct to vmlist.
found:
        area->next = *p;
        *p = area;

        area->flags = flags;
        area->addr = (void *)addr;
        area->size = size;
        area->pages = NULL;
        area->nr_pages = 0;
        area->phys_addr = 0;
        area->caller = caller;
        write_unlock(&vmlist_lock);

        return area;
...
}

I don't kown,  weather it's a bug.

If it's a bug, my patch is:

--- linux-2.6.27.orig/mm/vmalloc.c      2008-11-11 00:22:28.000000000 +0800
+++ linux-2.6.27/mm/vmalloc.c   2008-11-11 00:28:31.000000000 +0800
@@ -214,6 +214,9 @@ __get_vm_area_node(unsigned long size, u
        unsigned long align = 1;
        unsigned long addr;

+       if (start < VMALLOC_START || end > VMALLOC_END)
+               return NULL;
+
        BUG_ON(in_interrupt());
        if (flags & VM_IOREMAP) {
                int bit = fls(size);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ