lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20120217171915.GO27825@n2100.arm.linux.org.uk>
Date:	Fri, 17 Feb 2012 17:19:15 +0000
From:	Russell King - ARM Linux <linux@....linux.org.uk>
To:	Ajeet Yadav <ajeet.yadav.77@...il.com>
Cc:	Jon Medhurst <tixy@...t.co.uk>,
	Nicolas Pitre <nicolas.pitre@...aro.org>,
	Catalin Marinas <catalin.marinas@....com>,
	Sumit Bhattacharya <sumitb@...dia.com>,
	linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
	Naveen Yadav <yad.naveen@...il.com>
Subject: Re: [PATCH 3/3] ARM: dma-mapping: fix array out of bound access

On Fri, Feb 17, 2012 at 09:26:00PM +0530, Ajeet Yadav wrote:
> In __dma_alloc_remap(*,size,*,*)/ __dma_free_remap(*,size) functions
> if virtual address is in the last consistent mapping region
> i.e idx == ((CONSISTENT_END - base) >> PMD_SHIFT) - 1
> and off == PTRS_PER_PTE.
> then we have array out of bound access condition.

How?  Where?

At the first loop, off will _never_ be PTRS_PER_PTE.

                u32 off = CONSISTENT_OFFSET(c->vm_start) & (PTRS_PER_PTE-1);

There is _absolutely_ _no_ _way_ that off could ever be PTRS_PER_PTE
here.

If 'base' is CONSISTENT_END, then we have far bigger problems, because
it means that we have a zero sized region - it certainly can't be any
larger than zero size because then we'd be overflowing the DMA region
into something else.

Plus, we know that 'end of region' allocations work fine, because the
code allocates from the top of the region downwards.

So, I don't think there's a problem here.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ