lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071101184555.GB5955@us.ibm.com>
Date:	Thu, 1 Nov 2007 11:45:55 -0700
From:	Gary Hade <garyhade@...ibm.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Yinghai Lu <Yinghai.Lu@....COM>,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Gary Hade <garyhade@...ibm.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	LKML <linux-kernel@...r.kernel.org>, linux-acpi@...r.kernel.org
Subject: Re: [PATCH] x86: check boundary in count/setup_resource called by get_current_resources

On Thu, Nov 01, 2007 at 01:32:39AM -0700, Andrew Morton wrote:
> On Thu, 01 Nov 2007 01:20:29 -0700 Yinghai Lu <Yinghai.Lu@....COM> wrote:
> 
> > [PATCH] x86: check boundary in count/setup_resource called by get_current_resources
> > 
> > need to check info->res_num less than PCI_BUS_NUM_RESOURCES, so
> > info->bus->resource[info->res_num] = res will not beyond of bus resource array
> > when acpi resutrn too many resource entries.
> > 
> 
> Isn't this a bit of a problem?  It sounds like PCI_BUS_NUM_RESOURCES is to
> small for that system?  If so, some sort of dynamic allocation might be
> needed.

I should have considered the possible resource array overrun
when I created these functions.  I had assumed (apparently
incorrectly) that the old PCI_BUS_NUM_RESOURCES value of 4
was based on a spec defined limit on the maximum number of 
resources that _CRS can return.

I recently noticed the potential overrun myself while backporting
the code to kernel source where PCI_BUS_NUM_RESOURCES was initially
defined as 4.  This happened on a system where the _CRS associated
with one of the root bridges returned 5 resources with the 5th causing
a write beyond the end of the array.  Increasing PCI_BUS_NUM_RESOURCES
to the current value of 8 eliminated the overrun that I experienced 
but after discovering that there is apparently no limit on the
number of resources that _CRS can return I had intended to post
a change similar to what Yinghai Lu is proposing.

With the current PCI_BUS_NUM_RESOURCES value, _CRS can return 
up to 8 resources before the pci_bus resource array is totally
saturated but it should be noted that if a transparent bridge
is present below the root bridge it's child bus will only see
the first 5 resources.

The current fixed pci_bus resource array size of 8 is adequate 
(for storing _CRS returned resource and visibility across
transparent bridges) on those systems that I work on but without
a bound on the number of resources returned by _CRS some sort
of dynamic allocation certainly makes sense.

Note that exposure to this issue is currently limited to those
that use the 'pci=use_crs' kernel option. 

Gary

-- 
Gary Hade
System x Enablement
IBM Linux Technology Center
503-578-4503  IBM T/L: 775-4503
garyhade@...ibm.com
http://www.ibm.com/linux/ltc

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ