lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 9 Feb 2009 16:59:20 +1100
From:	Nick Piggin <nickpiggin@...oo.com.au>
To:	wixor <wixorpeek@...il.com>
Cc:	Alexey Dobriyan <adobriyan@...il.com>,
	Arjan van de Ven <arjan@...radead.org>,
	JosephChan@....com.tw, linux-kernel@...r.kernel.org
Subject: Re: viafb triggers BUG at mm/vmalloc.c:294 [kernel 2.6.28.3]

On Sunday 08 February 2009 21:25:13 wixor wrote:
> No, it didn't help really. Even with vmalloc=300M after a couple
> modprobe/rmmods i got the same BUG. And I didn't manage to get
> anything on display. Moreover, rmmod doesn't bring back the vga
> console.

Thanks for reporting. I have a fix for this bug which is an
overflow issue reported by XFS guys... I've just been holding
off merging it because they still seem to have a problem
with vmap that I'm trying to track down.

But if you could test this patch, it would be appreciated.

Thanks,
Nick

---
 mm/vmalloc.c |    6 ++++++
 1 file changed, 6 insertions(+)

Index: linux-2.6/mm/vmalloc.c
===================================================================
--- linux-2.6.orig/mm/vmalloc.c
+++ linux-2.6/mm/vmalloc.c
@@ -334,6 +334,9 @@ retry:
 	addr = ALIGN(vstart, align);
 
 	spin_lock(&vmap_area_lock);
+	if (addr + size < addr)
+		goto overflow;
+
 	/* XXX: could have a last_hole cache */
 	n = vmap_area_root.rb_node;
 	if (n) {
@@ -365,6 +368,8 @@ retry:
 
 		while (addr + size > first->va_start && addr + size <= vend) {
 			addr = ALIGN(first->va_end + PAGE_SIZE, align);
+			if (addr + size < addr)
+				goto overflow;
 
 			n = rb_next(&first->rb_node);
 			if (n)
@@ -375,6 +380,7 @@ retry:
 	}
 found:
 	if (addr + size > vend) {
+overflow:
 		spin_unlock(&vmap_area_lock);
 		if (!purged) {
 			purge_vmap_area_lazy();
.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ