lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110509193248.GC2524@redhat.com>
Date:	Mon, 9 May 2011 15:32:48 -0400
From:	Jason Baron <jbaron@...hat.com>
To:	Jiri Olsa <jolsa@...hat.com>
Cc:	rostedt@...dmis.org, mingo@...e.hu, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] jump_label: check entries limit in __jump_label_update

On Wed, May 04, 2011 at 05:30:23PM +0200, Jiri Olsa wrote:
> When iterating the jump_label entries array (core or modules),
> the __jump_label_update function peeks over the last entry.
> 
> The reason is that the end of the for loop depends on the key
> value of the processed entry. Thus when going through the
> last array entry, we will touch the memory behind the array
> limit.
> 
> This bug probably will never be triggered, since most likely the
> memory behind the jump_label entries will be accesable and the
> entry->key will be different than the expected value.
> 
> 
> Signed-off-by: Jiri Olsa <jolsa@...hat.com>
> ---
>  kernel/jump_label.c |   17 ++++++++++++-----
>  1 files changed, 12 insertions(+), 5 deletions(-)
> 
> diff --git a/kernel/jump_label.c b/kernel/jump_label.c
> index 74d1c09..b2ee97a 100644
> --- a/kernel/jump_label.c
> +++ b/kernel/jump_label.c
> @@ -105,9 +105,12 @@ static int __jump_label_text_reserved(struct jump_entry *iter_start,
>  }
>  
>  static void __jump_label_update(struct jump_label_key *key,
> -		struct jump_entry *entry, int enable)
> +				struct jump_entry *entry,
> +				struct jump_entry *stop, int enable)
>  {
> -	for (; entry->key == (jump_label_t)(unsigned long)key; entry++) {
> +	for (; (entry < stop) &&
> +	      (entry->key == (jump_label_t)(unsigned long)key);
> +	      entry++) {
>  		/*
>  		 * entry->code set to 0 invalidates module init text sections
>  		 * kernel_text_address() verifies we are not in core kernel
> @@ -158,6 +161,7 @@ early_initcall(jump_label_init);
>  struct jump_label_mod {
>  	struct jump_label_mod *next;
>  	struct jump_entry *entries;
> +	struct jump_entry *entries_stop;
>  	struct module *mod;
>  };
>  
> @@ -181,7 +185,8 @@ static void __jump_label_mod_update(struct jump_label_key *key, int enable)
>  	struct jump_label_mod *mod = key->next;
>  
>  	while (mod) {
> -		__jump_label_update(key, mod->entries, enable);
> +		__jump_label_update(key, mod->entries, mod->entries_stop,
> +				    enable);
>  		mod = mod->next;

hmmm. Instead of adding a new field to the 'struct jump_label_mod' data
structure (and thus increasing its footprint), why not use:
mod->jump_entries +  mod->num_jump_entries here?

Otherwise, I agree this is a nice fix to have.

Thanks,

-Jason


>  	}
>  }
> @@ -241,11 +246,13 @@ static int jump_label_add_module(struct module *mod)
>  
>  		jlm->mod = mod;
>  		jlm->entries = iter;
> +		jlm->entries_stop = iter_stop;
>  		jlm->next = key->next;
>  		key->next = jlm;
>  
>  		if (jump_label_enabled(key))
> -			__jump_label_update(key, iter, JUMP_LABEL_ENABLE);
> +			__jump_label_update(key, iter, iter_stop,
> +					    JUMP_LABEL_ENABLE);
>  	}
>  
>  	return 0;
> @@ -371,7 +378,7 @@ static void jump_label_update(struct jump_label_key *key, int enable)
>  
>  	/* if there are no users, entry can be NULL */
>  	if (entry)
> -		__jump_label_update(key, entry, enable);
> +		__jump_label_update(key, entry, __stop___jump_table, enable);
>  
>  #ifdef CONFIG_MODULES
>  	__jump_label_mod_update(key, enable);
> -- 
> 1.7.1
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ