lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1478189211-3467-1-git-send-email-shashim@codeaurora.org>
Date:   Thu,  3 Nov 2016 21:36:51 +0530
From:   Shiraz Hashim <shashim@...eaurora.org>
To:     catalin.marinas@....com, sfr@...b.auug.org.au,
        akpm@...ux-foundation.org
Cc:     linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        Shiraz Hashim <shashim@...eaurora.org>
Subject: [PATCH 1/1] mm: cma: check the max limit for cma allocation

CMA allocation request size is represented by size_t that
gets truncated when same is passed as int to
bitmap_find_next_zero_area_off.

We observe that during fuzz testing when cma allocation
request is too high, bitmap_find_next_zero_area_off still
returns success due to the truncation. This leads to
kernel crash, as subsequent code assumes that requested
memory is available.

Fail cma allocation in case the request breaches the
corresponding cma region size.

Signed-off-by: Shiraz Hashim <shashim@...eaurora.org>
---
 mm/cma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/cma.c b/mm/cma.c
index 384c2cb..c960459 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -385,6 +385,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
 	bitmap_maxno = cma_bitmap_maxno(cma);
 	bitmap_count = cma_bitmap_pages_to_bits(cma, count);
 
+	if (bitmap_count > bitmap_maxno)
+		return NULL;
+
 	for (;;) {
 		mutex_lock(&cma->lock);
 		bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,
-- 
Shiraz Hashim

QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ