lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 08 Nov 2010 23:20:27 -0500
From:	Steven Rostedt <rostedt@...dmis.org>
To:	LKML <linux-kernel@...r.kernel.org>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Jesse Barnes <jbarnes@...tuousgeek.org>,
	Chandru Siddalingappa <chandru@...ux.vnet.ibm.com>
Subject: [PATCH] PCI hotplug: ibmphp: Add check to prevent reading beyond
 mapped area

While testing various randconfigs with ktest.pl, I hit the following panic:

BUG: unable to handle kernel paging request at f7e54b03
IP: [<c0d63409>] ibmphp_access_ebda+0x101/0x19bb

Adding printks, I found that the loop that reads the ebda blocks
can move out of the mapped section.

ibmphp_access_ebda: start=f7e44c00 size=5120 end=f7e46000
ibmphp_access_ebda: io_mem=f7e44d80 offset=384
ibmphp_access_ebda: io_mem=f7e54b03 offset=65283

The start of the iomap was at f7e44c00 and had a size of 5120,
making the end f7e46000. We start with an offset of 0x180 or
384, giving the first read at 0xf7e44d80. Reading that location
yields 65283, which is much bigger than the 5120 that was allocated
and makes the next read at f7e54b03 which is outside the mapped area.

Perhaps this is a bug in the driver, or buggy hardware, but this patch
is more about not crashing my box on start up and just giving a warning
if it detects this error.

This patch at least lets my box boot with just a warning.

Cc: Jesse Barnes <jbarnes@...tuousgeek.org>
Cc: Chandru Siddalingappa <chandru@...ux.vnet.ibm.com>
Signed-off-by: Steven Rostedt <rostedt@...dmis.org>

---
 drivers/pci/hotplug/ibmphp_ebda.c |    6 ++++++
 1 file changed, 6 insertions(+)

Index: linux-test.git/drivers/pci/hotplug/ibmphp_ebda.c
===================================================================
--- linux-test.git.orig/drivers/pci/hotplug/ibmphp_ebda.c	2010-11-08 23:02:04.514138224 -0500
+++ linux-test.git/drivers/pci/hotplug/ibmphp_ebda.c	2010-11-08 23:02:38.021316682 -0500
@@ -276,6 +276,12 @@ int __init ibmphp_access_ebda (void)
 
 	for (;;) {
 		offset = next_offset;
+
+		/* Make sure what we read is still in the mapped section */
+		if (WARN(offset > (ebda_sz * 1024 - 4),
+			 "ibmphp_ebda: next read is beyond ebda_sz\n"))
+			break;
+
 		next_offset = readw (io_mem + offset);	/* offset of next blk */
 
 		offset += 2;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ