lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c6951af8-95a0-fa01-beb9-b7961523caaf@canonical.com>
Date:   Tue, 23 Aug 2016 10:51:28 +0100
From:   Colin Ian King <colin.king@...onical.com>
To:     1463486446-13890-1-git-send-email-colin.king@...onical.com,
        vinod.koul@...el.com, dmaengine@...r.kernel.org
Cc:     Xulin Sun <xulin.sun@...driver.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] dmaengine: do not allow access outside of unmap_pool

On 23/08/16 10:24, Xulin Sun wrote:
>>On Tue, May 17, 2016 at 01:00:46PM +0100, Colin King wrote:
>>> From: Colin Ian King <colin.king@...onical.com>
>>>
>>> When CONFIG_DMA_ENGINE_RAID is defined, unmap_pool[] is just 1
>>> element in size, however, allows orders of 2..8 to access
>>> outside unmap_pool and returns an invalid address. Ensure
>>> we fall into the default path and report a BUG() when
>>> CONFIG_DMA_ENGINE_RAID is defined and order is out of range.
>>>
>>> Signed-off-by: Colin Ian King <colin.king@...onical.com>
>>> ---
>>>  drivers/dma/dmaengine.c | 2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
>>> index 8c9f45f..6027e66 100644
>>> --- a/drivers/dma/dmaengine.c
>>> +++ b/drivers/dma/dmaengine.c
>>> @@ -1100,12 +1100,14 @@ static struct dmaengine_unmap_pool
> *__get_unmap_pool(int nr)
>>>      switch (order) {
>>>      case 0 ... 1:
>>>          return &unmap_pool[0];
>>> +    #if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)
> 
>>Okay if CONFIG_DMA_ENGINE_RAID is enabled (m or y) then IS_ENABLED
>>return 1, so we will go inside and not fall into default. And I though
>>by changelog that you want it to go to default in CONFIG_DMA_ENGINE_RAID
>>is defined!
> 
>>What did I miss...
> 
> Here it should be when CONFIG_DMA_ENGINE_RAID is NOT defined,
> unmap_pool[] is just 1
> element in size,  and the function "__get_unmap_pool" will access
> outside of the array unmap_pool[]
> in case orders of 2..8 and returns an invalid address, and I encountered
> the issue.
> 
> I think the patch is needed to avoid visiting outside of the array
> unmap_pool[] if CONFIG_DMA_ENGINE_RAID is NOT defined.

Exactly. Thanks for explaining, I missed the original query, apologies
for missing that.

Colin
> 
> Thanks
> Xulin
>>>      case 2 ... 4:
>>>          return &unmap_pool[1];
>>>      case 5 ... 7:
>>>          return &unmap_pool[2];
>>>      case 8:
>>>          return &unmap_pool[3];
>>> +    #endif
>>>      default:
>>>          BUG();
>>>          return NULL;
>>> --
>>> 2.8.1
>>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ