lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 29 Jan 2024 11:28:51 -0800
From: Kees Cook <keescook@...omium.org>
To: Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: "Behme Dirk (CM/ESO2)" <dirk.behme@...bosch.com>,
	Linux-Renesas <linux-renesas-soc@...r.kernel.org>,
	Yoshihiro Shimoda <yoshihiro.shimoda.uh@...esas.com>,
	linux-hardening@...r.kernel.org
Subject: Re: rcar-dmac.c: race condition regarding cookie handling?

On Mon, Jan 29, 2024 at 08:08:28PM +0100, Geert Uytterhoeven wrote:
> Hi Kees,
> 
> On Mon, Jan 29, 2024 at 6:38 PM Kees Cook <keescook@...omium.org> wrote>
> > On Mon, Jan 29, 2024 at 10:57:40AM +0100, Geert Uytterhoeven wrote:
> > > CC Kees (for the wrap-around in dma_cookie_assign() not handled in [A])
> > > [...]
> > > Was the system running for a very long time?
> > > dma_cookie_assign() relies on 2-complement signed wrap-around:
> > >
> > >         cookie = chan->cookie + 1;
> > >         if (cookie < DMA_MIN_COOKIE)
> > >                 cookie = DMA_MIN_COOKIE;
> > >
> > > but given the kernel is compiled with -fno-strict-overflow (which
> > > implies -fwrapv) that should work.
> >
> > For my own reference:
> >
> > typedef s32 dma_cookie_t;
> > #define DMA_MIN_COOKIE  1
> >
> > struct dma_chan {
> >         ...
> >         dma_cookie_t cookie;
> >
> > Correct, as you say, with -fno-strict-overflow this is well defined, and
> > will wrap the value around negative if chan->cookie was S32_MAX.
> >
> > In the future, when the signed integer wrap-around sanitizer works
> > again, we'll want to change the math to something like:
> >
> >         cookie = add_wrap(typeof(cookie), chan->cookie, 1);
> >
> > But that will be an ongoing conversion once folks have agreed on the
> > semantics of the wrapping helpers, which is not settled yet.
> >
> > If you want to handle this today without depending on wrap-around,
> > it's a little bit more involved to do it open coded, but it's possible:
> >
> >         if (chan->cookie == type_max(typeof(chan->cookie)))
> >                 cookie = DMA_MIN_COOKIE;
> >         else
> >                 cookie = chan->cookie + 1;
> >
> > the "type_max(...)" part could also just be written as S32_MAX.
> 
> It's actually more complicated: this code is also used to make sure
> any other values outside the valid range (e.g. initial zero are
> converted to DMA_MIN_COOKIE.  So the above would not be correct
> replacements for the current logic.
> 
> DMA cookies can also contain negative error values, hence the signed
> type. However, I don't think that can be the case for the chan->cookie
> counter, only for cookies stored in descriptors.

Ah! Okay, well, if it was true here too, then the "if" would just need
to be expanded:

         if (chan->cookie < DMA_MIN_COOKIE ||
	     chan->cookie == type_max(typeof(chan->cookie)))
                 cookie = DMA_MIN_COOKIE;
         else
                 cookie = chan->cookie + 1;

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ