lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 20 Oct 2012 22:35:20 +0200
From:	Marcin Slusarz <marcin.slusarz@...il.com>
To:	Heinz Diehl <htd@...tha.org>
Cc:	Martin Peres <martin.peres@...ri.fr>,
	Heinz Diehl <htd@...cy-poultry.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Paweł Sikora <pawel.sikora@...k.net>,
	David Airlie <airlied@...ux.ie>,
	Ben Skeggs <bskeggs@...hat.com>,
	Daniel Vetter <daniel.vetter@...ll.ch>,
	dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
	marcheu@...omium.org
Subject: Re: Linux 3.7-rc1 (nouveau_bios_score oops).

On Sat, Oct 20, 2012 at 10:28:46PM +0200, Marcin Slusarz wrote:
> On Sat, Oct 20, 2012 at 12:42:38PM +0200, Heinz Diehl wrote:
> > On 20.10.2012, Martin Peres wrote: 
> > 
> > > Can you test the attached patch too ? I rebased the previous one I sent on
> > > top on 3.7-rc1 as I accidentally used an older version.
> > 
> > Yes, of course.
> > 
> > Tried it. Unfortunately, the crash remains the same as reported.
> 
> Try this one.
> 
> Now, the question is: could 3.6 kernel get VBIOS by ACPI?
> If yes, please mount debugfs and send vbios.rom to me please.
> (cat /sys/kernel/debug/dri/0/vbios.rom > vbios.rom)
> 
> ---
> From: Marcin Slusarz <marcin.slusarz@...il.com>
> Subject: [PATCH] drm/nouveau: validate vbios size
> 
> Without checking, we could detect vbios size as 0, allocate 0-byte array
> (kmalloc returns invalid pointer for such allocation) and crash in
> nouveau_bios_score while checking for vbios signature.
> 
> Reported-by: Heinz Diehl <htd@...tha.org>

And of course:
Reported-by: Paweł Sikora <pawel.sikora@...k.net>

> Signed-off-by: Marcin Slusarz <marcin.slusarz@...il.com>
> ---
>  drivers/gpu/drm/nouveau/core/subdev/bios/base.c | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c
> index dcb5c2b..824eea0 100644
> --- a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c
> +++ b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c
> @@ -72,7 +72,7 @@ nouveau_bios_shadow_of(struct nouveau_bios *bios)
>  	}
>  
>  	data = of_get_property(dn, "NVDA,BMP", &size);
> -	if (data) {
> +	if (data && size) {
>  		bios->size = size;
>  		bios->data = kmalloc(bios->size, GFP_KERNEL);
>  		if (bios->data)
> @@ -104,6 +104,9 @@ nouveau_bios_shadow_pramin(struct nouveau_bios *bios)
>  		goto out;
>  
>  	bios->size = nv_rd08(bios, 0x700002) * 512;
> +	if (!bios->size)
> +		goto out;
> +
>  	bios->data = kmalloc(bios->size, GFP_KERNEL);
>  	if (bios->data) {
>  		for (i = 0; i < bios->size; i++)
> @@ -155,6 +158,9 @@ nouveau_bios_shadow_prom(struct nouveau_bios *bios)
>  
>  	/* read entire bios image to system memory */
>  	bios->size = nv_rd08(bios, 0x300002) * 512;
> +	if (!bios->size)
> +		goto out;
> +
>  	bios->data = kmalloc(bios->size, GFP_KERNEL);
>  	if (bios->data) {
>  		for (i = 0; i < bios->size; i++)
> @@ -194,6 +200,8 @@ nouveau_bios_shadow_acpi(struct nouveau_bios *bios)
>  	bios->size = 0;
>  	if (nouveau_acpi_get_bios_chunk(data, 0, 3) == 3)
>  		bios->size = data[2] * 512;
> +	if (!bios->size)
> +		return;
>  
>  	bios->data = kmalloc(bios->size, GFP_KERNEL);
>  	for (i = 0; bios->data && i < bios->size; i += cnt) {
> @@ -229,12 +237,14 @@ nouveau_bios_shadow_pci(struct nouveau_bios *bios)
>  static int
>  nouveau_bios_score(struct nouveau_bios *bios, const bool writeable)
>  {
> -	if (!bios->data || bios->data[0] != 0x55 || bios->data[1] != 0xAA) {
> +	if (bios->size < 3 || !bios->data || bios->data[0] != 0x55 ||
> +			bios->data[1] != 0xAA) {
>  		nv_info(bios, "... signature not found\n");
>  		return 0;
>  	}
>  
> -	if (nvbios_checksum(bios->data, bios->data[2] * 512)) {
> +	if (nvbios_checksum(bios->data,
> +			min_t(u32, bios->data[2] * 512, bios->size))) {
>  		nv_info(bios, "... checksum invalid\n");
>  		/* if a ro image is somewhat bad, it's probably all rubbish */
>  		return writeable ? 2 : 1;
> -- 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ