lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 19 Jul 2017 22:36:00 +0000
From:   Ethan Barnes <Ethan.Barnes@....com>
To:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     Thomas Gleixner <tglx@...utronix.de>,
        "Srivatsa S. Bhat" <srivatsa@....edu>,
        Paul McKenney <paulmck@...ux.vnet.ibm.com>,
        Ingo Molnar <mingo@...nel.or>,
        Sebastian Siewior <bigeasy@...utronix.d>
Subject: [PATCH] cpu hotplug: Prevent Page Fault in cpuhp_remove_callbacks()

Hi,

There is a page fault in cpu hotplug when removing the callbacks for the 
last dynamic state.
The last dynamic state will not be removed, causing a page fault when 
hotplug thinks the callbacks still exists and calls it.

The problem is as follows:
- __cpuhp_remove_state() eventually calls cpuhp_store_callbacks() with 
NULLs for most params.
- If state is the last state (i.e. CPUHP_AP_ONLINE_DYN or 
CPUHP_BP_PREPARE_STATE) then cpuhp_store_callbacks() calls 
cpuhp_reserve_state(), which returns the *next* available DYN state.
- The NULLs are stored in that *next* state (i.e. AP_ONLINE_DYN + 1 or 
BP_PREPARE_DYN + 1) instead of in AP_ONLINE_DYN or BP_PREPARE_DYN. Thus, 
the last state is never cleared. The callbacks now point to invalid memory.
- When the cpu is onlined again and/or offlined, then the invalid 
callback is invoked, causing a page fault.

The patch above solves this by detecting when a state is being removed, 
and not calling cpuhp_reserve_state().

I have brought this up before, but hoping to get some traction on it 
this time:
https://lkml.org/lkml/2017/7/5/574

Thx,
Ethan


Signed-off-by: Ethan Barnes <ethan.barnes@...disk.com>
---

diff --git a/kernel/cpu.c b/kernel/cpu.c
index eee0331..f7fda16 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1252,7 +1252,8 @@ static int cpuhp_store_callbacks(enum cpuhp_state 
state, const char *name,
         struct cpuhp_step *sp;
         int ret = 0;

-       if (state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN) {
+       if (name &&
+           (state == CPUHP_AP_ONLINE_DYN || state == 
CPUHP_BP_PREPARE_DYN)) {
                 ret = cpuhp_reserve_state(state);
                 if (ret < 0)
                         return ret;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ