lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 7 Feb 2016 07:46:48 -0800
From:	Jeremiah Mahler <jmmahler@...il.com>
To:	Konstantin Khlebnikov <koct9i@...il.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Matthew Wilcox <matthew.r.wilcox@...el.com>,
	Hugh Dickins <hughd@...gle.com>,
	Mel Gorman <mgorman@...hsingularity.net>,
	Stephen Rothwell <sfr@...b.auug.org.au>
Subject: Re: [REGRESSION] mm: filemap_map_pages NULL pointer dereference

Konstantin,

On Sun, Feb 07, 2016 at 11:27:53AM +0300, Konstantin Khlebnikov wrote:
> On Sat, Feb 6, 2016 at 9:18 PM, Jeremiah Mahler <jmmahler@...il.com> wrote:
[...]
> >> -static __always_inline unsigned
> >> +static __always_inline long
> >>  radix_tree_chunk_size(struct radix_tree_iter *iter)
> >>  {
> >>       return iter->next_index - iter->index;
> >> @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct
> >>                       return slot + offset + 1;
> >>               }
> >>       } else {
> >> -             unsigned size = radix_tree_chunk_size(iter) - 1;
> >> +             long size = radix_tree_chunk_size(iter);
> >>
> >> -             while (size--) {
> >> +             while (--size > 0) {
> >>                       slot++;
> >>                       iter->index++;
> >>                       if (likely(*slot))
> >> _
> >>
> >
> > I have applied this patch to my kernel and so far the bug has not
> > come back.  Thanks for the quick fix.
> >
> > Although I don't quite understand how this fixes the slot==NULL problem.
> > Unless I am missing something, it looks like the while loop will be
> > executed the same number of times but the size variable will no
> > longer go negative as it did before.
> 
> That's simple. Slot is dereferenced after checking remaining size.
> Old version checked only for != 0. After iter-retry size is zero and
> afrer "- 1" it overlaps into positive range. In new version it's signed and
> checked for > 0.
> 

OK, I get it now.  Thanks for the explanation.

-- 
- Jeremiah Mahler

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ