lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 23 Aug 2016 17:24:04 +0800
From:   Xulin Sun <xulin.sun@...driver.com>
To:     <vinod.koul@...el.com>, <colin.king@...onical.com>,
        <dmaengine@...r.kernel.org>
CC:     Xulin Sun <xulin.sun@...driver.com>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] dmaengine: do not allow access outside of unmap_pool

 >On Tue, May 17, 2016 at 01:00:46PM +0100, Colin King wrote:
 >> From: Colin Ian King <colin.king@...onical.com>
 >>
 >> When CONFIG_DMA_ENGINE_RAID is defined, unmap_pool[] is just 1
 >> element in size, however, allows orders of 2..8 to access
 >> outside unmap_pool and returns an invalid address. Ensure
 >> we fall into the default path and report a BUG() when
 >> CONFIG_DMA_ENGINE_RAID is defined and order is out of range.
 >>
 >> Signed-off-by: Colin Ian King <colin.king@...onical.com>
 >> ---
 >>  drivers/dma/dmaengine.c | 2 ++
 >>  1 file changed, 2 insertions(+)
 >>
 >> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
 >> index 8c9f45f..6027e66 100644
 >> --- a/drivers/dma/dmaengine.c
 >> +++ b/drivers/dma/dmaengine.c
 >> @@ -1100,12 +1100,14 @@ static struct dmaengine_unmap_pool 
*__get_unmap_pool(int nr)
 >>      switch (order) {
 >>      case 0 ... 1:
 >>          return &unmap_pool[0];
 >> +    #if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)

 >Okay if CONFIG_DMA_ENGINE_RAID is enabled (m or y) then IS_ENABLED
 >return 1, so we will go inside and not fall into default. And I though
 >by changelog that you want it to go to default in CONFIG_DMA_ENGINE_RAID
 >is defined!

 >What did I miss...

Here it should be when CONFIG_DMA_ENGINE_RAID is NOT defined, 
unmap_pool[] is just 1
element in size,  and the function "__get_unmap_pool" will access 
outside of the array unmap_pool[]
in case orders of 2..8 and returns an invalid address, and I encountered 
the issue.

I think the patch is needed to avoid visiting outside of the array 
unmap_pool[] if CONFIG_DMA_ENGINE_RAID is NOT defined.

Thanks
Xulin
 >>      case 2 ... 4:
 >>          return &unmap_pool[1];
 >>      case 5 ... 7:
 >>          return &unmap_pool[2];
 >>      case 8:
 >>          return &unmap_pool[3];
 >> +    #endif
 >>      default:
 >>          BUG();
 >>          return NULL;
 >> --
 >> 2.8.1
 >>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ