| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Mar 2016 12:25:39 +0900 (JST)
From: HATAYAMA Daisuke <d.hatayama@...fujitsu.com>
To: dyoung@...hat.com
Cc: akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
bhe@...hat.com, vgoyal@...hat.com, kexec@...ts.infradead.org,
nasa4836@...il.com, mhuang@...hat.com
Subject: Re: [PATCH V2] proc-vmcore: wrong data type casting fix
From: Dave Young <dyoung@...hat.com>
Subject: [PATCH V2] proc-vmcore: wrong data type casting fix
Date: Fri, 11 Mar 2016 16:42:48 +0800
> On i686 PAE enabled machine the contiguous physical area could be large
> and it can cause trimming down variables in below calculation in
> read_vmcore() and mmap_vmcore():
>
> tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);
>
> Then the real size passed down is not correct any more.
> Suppose m->offset + m->size - *fpos being truncated to 0, buflen >0 then
That is, size_t and loff_t are defined as follows on i686:
(gdb) ptype size_t
type = unsigned int
(gdb) ptype loff_t
type = long long int
So casting by size_t means truncating a given value by 4GB.
Then, if (m->offset + m->size - *fpos) is equal to or larger than 4GB,
and is aligned with 4GB, the resulted value is 0, and
> we will get tsz = 0. It is of course not an expected result.
>
> During our tests there are two problems caused by it:
> 1) read_vmcore will refuse to continue so makedumpfile fails.
> 2) mmap_vmcore will trigger BUG_ON() in remap_pfn_range().
>
we reach these errors.
If (m->offset + m->size - *fpos) is not aligned with 4GB,
read_vmcore() or mmap_vmcore() is performed with the truncated
non-zero value as size (of course, this is also not expected value but
the execution doesn't result in error). Then, fpos proceeds so that
(m->offset + m->size - *fpos) is aligned with 4GB in the next loop,
and we after all reach the errors.
I think your patch description needs a bit more detail.
It seems good to me that the patch itself.
> Use unsigned long long in min_t instead so that the variables are not
> truncated.
>
> Signed-off-by: Baoquan He <bhe@...hat.com>
> Signed-off-by: Dave Young <dyoung@...hat.com>
> ---
> v1->v2: spelling fix in patch log
> fs/proc/vmcore.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> --- linux-x86.orig/fs/proc/vmcore.c
> +++ linux-x86/fs/proc/vmcore.c
> @@ -231,7 +231,9 @@ static ssize_t __read_vmcore(char *buffe
>
> list_for_each_entry(m, &vmcore_list, list) {
> if (*fpos < m->offset + m->size) {
> - tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);
> + tsz = (size_t)min_t(unsigned long long,
> + m->offset + m->size - *fpos,
> + buflen);
> start = m->paddr + *fpos - m->offset;
> tmp = read_from_oldmem(buffer, tsz, &start, userbuf);
> if (tmp < 0)
> @@ -461,7 +463,8 @@ static int mmap_vmcore(struct file *file
> if (start < m->offset + m->size) {
> u64 paddr = 0;
>
> - tsz = min_t(size_t, m->offset + m->size - start, size);
> + tsz = (size_t)min_t(unsigned long long,
> + m->offset + m->size - start, size);
> paddr = m->paddr + start - m->offset;
> if (vmcore_remap_oldmem_pfn(vma, vma->vm_start + len,
> paddr >> PAGE_SHIFT, tsz,
>
--
Thanks.
HATAYAMA, Daisuke
Powered by blists - more mailing lists