lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 22 Oct 2012 14:18:54 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Thadeu Lima de Souza Cascardo <cascardo@...ux.vnet.ibm.com>
Cc:	linux-kernel@...r.kernel.org,
	Paul Gortmaker <paul.gortmaker@...driver.com>,
	Benjamin Gaignard <benjamin.gaignard@...ricsson.com>
Subject: Re: [PATCH resend] genalloc: stop crashing the system when
 destroying a pool

On Sun, 21 Oct 2012 09:52:59 -0200
Thadeu Lima de Souza Cascardo <cascardo@...ux.vnet.ibm.com> wrote:

> A gen_pool_chunk uses a bitmap to find what addresses ranges it has
> allocated and bugs when we destroy the pool and a chunk has some bits
> set.
> 
> There is a problem when it allocates the bitmap. It allocates only the
> number of bytes needed for the bits that represent the size it's
> allocating. That is, if it needs 16 bits, it will allocate only 2 bytes,
> if it needs 31 bits, it will allocate 4 bytes.
> 
> However, the bitops functions uses long types. And when the gen_pool_add
> allocates a bitmap, it only clears the bytes it has allocated. So, it's
> possible that we have a long word with the contents 0xffffffffffffffff,
> and only the first (most significant) bytes are cleared by memset.
> However, the destroy function is going to test for the least significant
> bits, which will not be clear as expected.
> 

When fixing a bug, please do fully describe that bug.  The oops trace
would be nice, but can be avoided if a suitable description is included.

Does the BUG() happen in gen_pool_destroy(), or in gen_pool_free()?  In
either case, from your description it sound like the function which is
going BUG() is the site which needs fixing because it is checking for
non-zero bits outside the correct range?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists