lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 15 Apr 2008 17:36:30 +0200
From:	Mikael Pettersson <mikpe@...uu.se>
To:	Johannes Weiner <hannes@...urebad.de>
Cc:	LKML <linux-kernel@...r.kernel.org>, Roel Kluin <12o3l@...cali.nl>,
	Andreas Schwab <schwab@...e.de>,
	Matt Mackall <mpm@...enic.com>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] mm: Fix possible off-by-one in walk_pte_range()

Johannes Weiner writes:
 > After the loop in walk_pte_range() pte might point to the first address
 > after the pmd it walks.  The pte_unmap() is then applied to something
 > bad.
 > 
 > Spotted by Roel Kluin and Andreas Schwab.
 > 
 > Signed-off-by: Johannes Weiner <hannes@...urebad.de>
 > CC: Roel Kluin <12o3l@...cali.nl>
 > CC: Andreas Schwab <schwab@...e.de>
 > CC: Matt Mackall <mpm@...enic.com>
 > CC: Andrew Morton <akpm@...ux-foundation.org>
 > ---
 > 
 > A bug is unlikely, though.  kunmap_atomic() looks up the kmap entry by
 > map-type instead of the address the pte points.  So the worst thing I
 > could find with a quick grep was that a wrong TLB entry is being
 > flushed.  Still, the code is wrong :)
 > 
 > diff --git a/mm/pagewalk.c b/mm/pagewalk.c
 > index 1cf1417..cf3c004 100644
 > --- a/mm/pagewalk.c
 > +++ b/mm/pagewalk.c
 > @@ -13,7 +13,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
 >  		err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
 >  		if (err)
 >  		       break;
 > -	} while (pte++, addr += PAGE_SIZE, addr != end);
 > +	} while (addr += PAGE_SIZE, addr != end && pte++);

Instead of obfuscating the code by putting "&& pte++" in the
condition (it will always be true in valid C), you should IMO
rewrite the do-while as a for loop + break, like this:

	for (;;) {
	    // same body as before
	    addr += PAGE_SIZE;
	    if (addr == end)
	        break;
	    pte++;
	}

This makes the ordering constraints very clear.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ