lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20151007160458.GA27633@localhost>
Date:	Wed, 7 Oct 2015 11:04:58 -0500
From:	Bjorn Helgaas <helgaas@...nel.org>
To:	Sasha Levin <sasha.levin@...cle.com>
Cc:	Prarit Bhargava <prarit@...hat.com>, bhelgaas@...gle.com,
	linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] PCI: prevent out of bounds access in numa_node override

On Wed, Oct 07, 2015 at 10:07:33AM -0400, Sasha Levin wrote:
> > On 10/06/2015 03:36 PM, Bjorn Helgaas wrote:
> >> Hi Sasha,
> >>
> >> On Sun, Oct 04, 2015 at 05:49:29PM -0400, Sasha Levin wrote:
> >>> Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that
> >>> the numa node provided by userspace is valid. Passing a node number too high
> >>> would attempt to access invalid memory and trigger a kernel panic.
> >>>
> >>> Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs")
> >>> Signed-off-by: Sasha Levin <sasha.levin@...cle.com>
> >>> ---
> >>>  drivers/pci/pci-sysfs.c |    2 +-
> >>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> >>> index 312f23a..e9abca8 100644
> >>> --- a/drivers/pci/pci-sysfs.c
> >>> +++ b/drivers/pci/pci-sysfs.c
> >>> @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev,
> >>>  	if (ret)
> >>>  		return ret;
> >>>  
> >>> -	if (!node_online(node))
> >>> +	if (node > MAX_NUMNODES || !node_online(node))
> >>
> >> This needs to be "node >= MAX_NUMNODES", doesn't it?  I'll fix it up if
> >> you agree.
> 
> Yup, you're right.

OK, applied to for-linus for v4.3 as follows.  Thanks a lot, Sasha!


commit 0f7b9ad7477f7ce9b30e9ab0048f6e726f11a08a
Author: Sasha Levin <sasha.levin@...cle.com>
Date:   Sun Oct 4 17:49:29 2015 -0400

    PCI: Prevent out of bounds access in numa_node override
    
    63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that
    the numa node provided by userspace is valid.  Passing a node number too
    high would attempt to access invalid memory and trigger a kernel panic.
    
    Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
    Signed-off-by: Sasha Levin <sasha.levin@...cle.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@...gle.com>
    CC: stable@...r.kernel.org	# v3.19+

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 312f23a..9261868 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev,
 	if (ret)
 		return ret;
 
-	if (!node_online(node))
+	if (node >= MAX_NUMNODES || !node_online(node))
 		return -EINVAL;
 
 	add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ