lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <878wzlzu42.fsf_-_@saeurebad.de>
Date:	Thu, 10 Apr 2008 16:01:49 +0200
From:	Johannes Weiner <hannes@...urebad.de>
To:	Andreas Schwab <schwab@...e.de>
Cc:	Roel Kluin <12o3l@...cali.nl>, linux-mm@...ck.org,
	lkml <linux-kernel@...r.kernel.org>, akpm@...ux-foundation.org
Subject: [PATCH] Stay below upper pmd boundary on pte range walk

Hi,

Andreas Schwab <schwab@...e.de> writes:

> Johannes Weiner <hannes@...urebad.de> writes:
>
>>> Signed-off-by: Roel Kluin <12o3l@...cali.nl>
>>> ---
>>> diff --git a/mm/pagewalk.c b/mm/pagewalk.c
>>> index 1cf1417..6615f0b 100644
>>> --- a/mm/pagewalk.c
>>> +++ b/mm/pagewalk.c
>>> @@ -15,7 +15,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
>>>  		       break;
>>>  	} while (pte++, addr += PAGE_SIZE, addr != end);
>>>  
>>> -	pte_unmap(pte);
>>> +	pte_unmap(pte - 1);
>>>  	return err;
>>>  }
>>
>> This does not make any sense to me.
>
> There is something fishy here.  If the loop ends because addr == end
> then pte has been incremented past the pmd page for addr, no?

Whoops, yes.  But Roel's fix breaks if the break is taken in the first
iteration of the loop, because the pte is then out of the lower bounds
of the pmd page.  Please see attached fix.

	Hannes

---

After the loop in walk_pte_range() pte might point to the first address
after the pmd it walks.  The pte_unmap() is then applied to something
bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@...urebad.de>
---

A bug is unlikely, though.  kunmap_atomic() looks up the kmap entry by
map-type instead of the address the pte points.  So the worst thing I
could find with a quick grep was that a wrong TLB entry is being
flushed.  Still, the code is wrong :)

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417..cf3c004 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -13,7 +13,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
 		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
 		if (err)
 		       break;
-	} while (pte++, addr += PAGE_SIZE, addr != end);
+	} while (addr += PAGE_SIZE, addr != end && pte++);
 
 	pte_unmap(pte);
 	return err;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ