lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALYGNiOgL+W5hZeT9dA22ORgvyOQiX3QKU9ZGWzrgrH6EtofZg@mail.gmail.com>
Date:	Sun, 7 Feb 2016 11:27:53 +0300
From:	Konstantin Khlebnikov <koct9i@...il.com>
To:	Jeremiah Mahler <jmmahler@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Matthew Wilcox <matthew.r.wilcox@...el.com>,
	Hugh Dickins <hughd@...gle.com>,
	Mel Gorman <mgorman@...hsingularity.net>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	Konstantin Khlebnikov <koct9i@...il.com>
Subject: Re: [REGRESSION] mm: filemap_map_pages NULL pointer dereference

On Sat, Feb 6, 2016 at 9:18 PM, Jeremiah Mahler <jmmahler@...il.com> wrote:
> Andrew,
>
> On Fri, Feb 05, 2016 at 02:19:40PM -0800, Andrew Morton wrote:
>> On Fri, 5 Feb 2016 10:05:02 -0800 Jeremiah Mahler <jmmahler@...il.com> wrote:
>>
> [...]
>> >   unable to handle kernel NULL pointer dereference
>>
>> This should fix it up.
>>
> [...]
>>
>>  include/linux/radix-tree.h |    6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff -puN include/linux/radix-tree.h~radix-tree-fix-oops-after-radix_tree_iter_retry include/linux/radix-tree.h
>> --- a/include/linux/radix-tree.h~radix-tree-fix-oops-after-radix_tree_iter_retry
>> +++ a/include/linux/radix-tree.h
>> @@ -400,7 +400,7 @@ void **radix_tree_iter_retry(struct radi
>>   * @iter:    pointer to radix tree iterator
>>   * Returns:  current chunk size
>>   */
>> -static __always_inline unsigned
>> +static __always_inline long
>>  radix_tree_chunk_size(struct radix_tree_iter *iter)
>>  {
>>       return iter->next_index - iter->index;
>> @@ -434,9 +434,9 @@ radix_tree_next_slot(void **slot, struct
>>                       return slot + offset + 1;
>>               }
>>       } else {
>> -             unsigned size = radix_tree_chunk_size(iter) - 1;
>> +             long size = radix_tree_chunk_size(iter);
>>
>> -             while (size--) {
>> +             while (--size > 0) {
>>                       slot++;
>>                       iter->index++;
>>                       if (likely(*slot))
>> _
>>
>
> I have applied this patch to my kernel and so far the bug has not
> come back.  Thanks for the quick fix.
>
> Although I don't quite understand how this fixes the slot==NULL problem.
> Unless I am missing something, it looks like the while loop will be
> executed the same number of times but the size variable will no
> longer go negative as it did before.

That's simple. Slot is dereferenced after checking remaining size.
Old version checked only for != 0. After iter-retry size is zero and
afrer "- 1" it overlaps into positive range. In new version it's signed and
checked for > 0.

>
> --
> - Jeremiah Mahler

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ