| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8763ujhz4a.fsf_-_@saeurebad.de>
Date: Tue, 15 Apr 2008 18:16:53 +0200
From: Johannes Weiner <hannes@...urebad.de>
To: Mikael Pettersson <mikpe@...uu.se>
Cc: LKML <linux-kernel@...r.kernel.org>, Roel Kluin <12o3l@...cali.nl>,
Andreas Schwab <schwab@...e.de>,
Matt Mackall <mpm@...enic.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH v2] mm: Fix possible off-by-one in walk_pte_range()
Hi,
Mikael Pettersson <mikpe@...uu.se> writes:
> Johannes Weiner writes:
> > After the loop in walk_pte_range() pte might point to the first address
> > after the pmd it walks. The pte_unmap() is then applied to something
> > bad.
> >
> > Spotted by Roel Kluin and Andreas Schwab.
> >
> > Signed-off-by: Johannes Weiner <hannes@...urebad.de>
> > CC: Roel Kluin <12o3l@...cali.nl>
> > CC: Andreas Schwab <schwab@...e.de>
> > CC: Matt Mackall <mpm@...enic.com>
> > CC: Andrew Morton <akpm@...ux-foundation.org>
> > ---
> >
> > A bug is unlikely, though. kunmap_atomic() looks up the kmap entry by
> > map-type instead of the address the pte points. So the worst thing I
> > could find with a quick grep was that a wrong TLB entry is being
> > flushed. Still, the code is wrong :)
> >
> > diff --git a/mm/pagewalk.c b/mm/pagewalk.c
> > index 1cf1417..cf3c004 100644
> > --- a/mm/pagewalk.c
> > +++ b/mm/pagewalk.c
> > @@ -13,7 +13,7 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
> > err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
> > if (err)
> > break;
> > - } while (pte++, addr += PAGE_SIZE, addr != end);
> > + } while (addr += PAGE_SIZE, addr != end && pte++);
>
> Instead of obfuscating the code by putting "&& pte++" in the
> condition (it will always be true in valid C), you should IMO
> rewrite the do-while as a for loop + break, like this:
>
> for (;;) {
> // same body as before
> addr += PAGE_SIZE;
> if (addr == end)
> break;
> pte++;
> }
Sorry, I think too lispy :)
Hannes
---
From: Johannes Weiner <hannes@...urebad.de>
Subject: [PATCH] mm: Fix possible off-by-one in walk_pte_range()
After the loop in walk_pte_range() pte might point to the first address
after the pmd it walks. The pte_unmap() is then applied to something
bad.
Spotted by Roel Kluin and Andreas Schwab.
Signed-off-by: Johannes Weiner <hannes@...urebad.de>
CC: Roel Kluin <12o3l@...cali.nl>
CC: Andreas Schwab <schwab@...e.de>
CC: Matt Mackall <mpm@...enic.com>
CC: Andrew Morton <akpm@...ux-foundation.org>
---
A bug is unlikely, though. kunmap_atomic() looks up the kmap entry by
map-type instead of the address the pte points. So the worst thing I
could find with a quick grep was that a wrong TLB entry is being
flushed. Still, the code is wrong :)
diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1cf1417..0afd238 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -9,11 +9,15 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
int err = 0;
pte = pte_offset_map(pmd, addr);
- do {
+ for (;;) {
err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, private);
if (err)
break;
- } while (pte++, addr += PAGE_SIZE, addr != end);
+ addr += PAGE_SIZE;
+ if (addr == end)
+ break;
+ pte++;
+ }
pte_unmap(pte);
return err;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists