| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Apr 2018 08:11:13 -0600
From: "Tom Abraham" <tabraham@...e.com>
To: <linux-kernel@...r.kernel.org>
Subject: [PATCH] swap: divide-by-zero when zero length swap file on ssd
Calling swapon() on a zero length swap file on SSD can lead to a
divide-by-zero.
Although creating such files isn't possible with mkswap and they woud be
considered invalid, it would be better for the swapon code to be more robust
and handle this condition gracefully (return -EINVAL). Especially since the fix
is small and straight-forward.
To help with wear leveling on SSD, the swapon syscall calculates a random
position in the swap file using modulo p->highest_bit, which is set to
maxpages - 1 in read_swap_header.
If the swap file is zero length, read_swap_header sets maxpages=1 and
last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we modulo
p->highest_bit in swapon syscall.
This can be prevented by having read_swap_header return zero if last_page is
zero.
diff --git a/mm/swapfile.c b/mm/swapfile.c
index c7a33717d079..d6b7bd9f365d 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2961,6 +2961,10 @@ static unsigned long read_swap_header(struct swap_info_struct *p,
maxpages = swp_offset(pte_to_swp_entry(
swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
last_page = swap_header->info.last_page;
+ if(!last_page) {
+ pr_warn("Empty swap-file\n");
+ return 0;
+ }
if (last_page > maxpages) {
pr_warn("Truncating oversized swap area, only using %luk out of %luk\n",
maxpages << (PAGE_SHIFT - 10),
Powered by blists - more mailing lists