lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 29 Oct 2014 08:14:42 +0000
From:	Dexuan Cui <decui@...rosoft.com>
To:	"dave.hansen@...el.com" <dave.hansen@...el.com>,
	Rik van Riel <riel@...hat.com>,
	"H. Peter Anvin" <hpa@...ux.intel.com>
CC:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-mm@...ck.org" <linux-mm@...ck.org>,
	KY Srinivasan <kys@...rosoft.com>,
	Haiyang Zhang <haiyangz@...rosoft.com>
Subject: RE: Does slow_virt_to_phys() work with vmalloc() in the case of
 32bit-PAE and 2MB page?

> -----Original Message-----
> From: owner-linux-mm@...ck.org [mailto:owner-linux-mm@...ck.org] On
> Behalf Of Dexuan Cui
> Sent: Tuesday, October 28, 2014 16:51 PM
> To: dave.hansen@...el.com; Rik van Riel; H. Peter Anvin
> Cc: linux-kernel@...r.kernel.org; linux-mm@...ck.org
> Subject: RE: Does slow_virt_to_phys() work with vmalloc() in the case of
> 32bit-PAE and 2MB page?
> 
> > -----Original Message-----
> > From: owner-linux-mm@...ck.org [mailto:owner-linux-mm@...ck.org] On
> > Behalf Of Dexuan Cui
> > Sent: Tuesday, October 28, 2014 15:08 PM
> > To: Dave Hansen; Rik van Riel; H. Peter Anvin
> > Cc: linux-kernel@...r.kernel.org; linux-mm@...ck.org
> > Subject: Does slow_virt_to_phys() work with vmalloc() in the case of 32bit-
> > PAE and 2MB page?
> >
> > Hi all,
> > I suspect slow_virt_to_phys() may not work with vmalloc() in
> > the 32-bit PAE case(when the pa > 4GB), probably due to 2MB page(?)
> >
> > Is there any known issue with slow_virt_to_phys() + vmalloc() +
> > 32-bit PAE + 2MB page?
> >
> > From what I read the code of slow_virt_to_phys(), the variable 'psize' is
> > assigned with a value but not used at all -- is this a bug?
> After reading through the code, I think there is no issue here, though the
> assignment of 'psize'  should be unnecessary, I think.

Hi all,
Finally it turns out there is a left-shift-overflow bug for 32-PAE here!

pte_pfn() returns a PFN of long (32bits in 32-PAE), then "long << PAGE_SHIFT"
will overflow for PFNs above 4GB.

I'm going to post the below fix in another mail:

@@ -409,7 +409,7 @@ phys_addr_t slow_virt_to_phys(void *__virt_addr)
        psize = page_level_size(level);
        pmask = page_level_mask(level);
        offset = virt_addr & ~pmask;
-       phys_addr = pte_pfn(*pte) << PAGE_SHIFT;
+       phys_addr = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT;
        return (phys_addr | offset);
 }

Thanks,
-- Dexuan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ