lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9a158e2e0910130201m1f63a7d7h15c8a7445a36cd51@mail.gmail.com>
Date:	Tue, 13 Oct 2009 02:01:03 -0700
From:	Kyle Hubert <khubert@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: iommu-helper.c -> find_next_zero_area errors

In the function find_next_zero_area in iommu-helper.c, I think there
are two small issues. For one, it appears the conditionals after
find_next_zero_bit will cause failures when there is still room in the
IOMMU area. Here is the code in question:

  15again:
  16        index = find_next_zero_bit(map, size, start);
  17
  18        /* Align allocation */
  19        index = (index + align_mask) & ~align_mask;
  20
  21        end = index + nr;
  22        if (end >= size)
  23                return -1;
  24        for (i = index; i < end; i++) {
  25                if (test_bit(i, map)) {
  26                        start = i+1;
  27                        goto again;
  28                }
  29        }
  30        return index;

On line 16, we get the index with the next zero bit in the bit-field.
Then the "end" value is compared against size on line 22. By testing
for >=, an allocation of 64 elements in a 64 bit bit-field would
result in (0 + 64) >= 64. This means it would return -1, or, no space.
Anything that butts against the end of the area will fail.

Then continuing on to line 24, we see the for loop starting at the
"index" value. Index was just returned by find_next_zero_bit, so we
know it's zero, and there is no reason to call test_bit on it. This is
just a spurious execution of the loop.

I would think you would want it to look like this:

-       if (end >= size)
+       if (end > size)
               return -1;
-       for (i = index; i < end; i++) {
+       for (i = index + 1; i < end; i++) {

Thanks,

-Kyle Hubert
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ