lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 13 Oct 2010 11:26:21 +0900
From:	Hitoshi Mitake <mitake@....info.waseda.ac.jp>
To:	Peter Zijlstra <peterz@...radead.org>
CC:	Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
	h.mitake@...il.com, Dmitry Torokhov <dtor@...l.ru>,
	Vojtech Pavlik <vojtech@....cz>,
	Frederic Weisbecker <fweisbec@...il.com>
Subject: Re: [PATCH 1/2] lockdep: check the depth of subclass

On 10/12/10 19:27, Peter Zijlstra wrote:
 > On Tue, 2010-10-05 at 18:01 +0900, Hitoshi Mitake wrote:
 >> Current look_up_lock_class() doesn't check the parameter "subclass".
 >> This rarely rises problems because the main caller of this function,
 >> register_lock_class(), checks it.
 >> But register_lock_class() is not the only function which calls
 >> look_up_lock_class(). lock_set_class() and its callees also call it.
 >> And lock_set_class() doesn't check this parameter.
 >>
 >> This will rise problems when the the value of subclass is larger
 >> MAX_LOCKDEP_SUBCLASSES. Because the address (used as the key of class)
 >> caliculated with too large subclass has a possibility to point
 >> another key in different lock_class_key.
 >> Of course this problem depends on the memory layout and
 >> occurs with really low possibility.
 >>
 >> And mousedev_create() calles lockdep_set_subclass() and
 >> sets class of mousedev->mutex as MOUSEDEV_MIX(== 31).
 >> And if my understanding is correct,
 >> this subclass doesn't have to be MOUSEDEV_MIX,
 >> so I modified this value to SINGLE_DEPTH_NESTING.
 >>
 >> Signed-off-by: Hitoshi Mitake<mitake@....info.waseda.ac.jp>
 >> Cc: Dmitry Torokhov<dtor@...l.ru>
 >> Cc: Vojtech Pavlik<vojtech@....cz>
 >> Cc: Peter Zijlstra<peterz@...radead.org>
 >> Cc: Frederic Weisbecker<fweisbec@...il.com>
 >> ---
 >>   drivers/input/mousedev.c |    2 +-
 >>   kernel/lockdep.c         |   15 +++++++++++++++
 >>   2 files changed, 16 insertions(+), 1 deletions(-)
 >>
 >> diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
 >> index d528a2d..9897334 100644
 >> --- a/drivers/input/mousedev.c
 >> +++ b/drivers/input/mousedev.c
 >> @@ -866,7 +866,7 @@ static struct mousedev *mousedev_create(struct 
input_dev *dev,
 >>   	spin_lock_init(&mousedev->client_lock);
 >>   	mutex_init(&mousedev->mutex);
 >>   	lockdep_set_subclass(&mousedev->mutex,
 >> -			     minor == MOUSEDEV_MIX ? MOUSEDEV_MIX : 0);
 >> +			     minor == MOUSEDEV_MIX ? SINGLE_DEPTH_NESTING : 0);
 >
 > Ah good find.
 >
 >>   	init_waitqueue_head(&mousedev->wait);
 >>
 >>   	if (minor == MOUSEDEV_MIX)
 >> diff --git a/kernel/lockdep.c b/kernel/lockdep.c
 >> index 84baa71..c4c13ae 100644
 >> --- a/kernel/lockdep.c
 >> +++ b/kernel/lockdep.c
 >> @@ -639,6 +639,21 @@ look_up_lock_class(struct lockdep_map *lock, 
unsigned int subclass)
 >>   	}
 >>   #endif
 >>
 >> +	if (unlikely(subclass>= MAX_LOCKDEP_SUBCLASSES)) {
 >> +		/*
 >> +		 * This check should be done not only in __lock_acquire()
 >> +		 * but also here. Because register_lock_class() is also called
 >> +		 * by lock_set_class(). Callers of lock_set_class() can
 >> +		 * pass invalid value as subclass.
 >> +		 */
 >> +
 >> +		debug_locks_off();
 >> +		printk(KERN_ERR "BUG: looking up invalid subclass: %u\n", subclass);
 >> +		printk(KERN_ERR "turning off the locking correctness validator.\n");
 >> +		dump_stack();
 >> +		return NULL;
 >> +	}
 >
 > Would we catch all cases if we moved this check from __lock_acquire()
 > into register_lock_class()? It would result in only a single instance of
 > this logic.
 >

I think that __lock_acquire() should also check the value of subclass.
Because it access to the lock->class_cache as array
before calling look_up_lock_class() after applying this patch.

So if the check isn't done in __lock_acquire(),
the invalid addresses might be interpreted as the addresses of
struct lock_class.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ