lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 10 Apr 2018 06:54:11 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Ram Pai <linuxram@...ibm.com>, Bjorn Helgaas <bhelgaas@...gle.com>,
        Michael Henders <hendersm@...w.ca>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] resource: Fix integer overflow at reallocation

On Tue, 10 Apr 2018 02:23:26 +0200,
Andrew Morton wrote:
> 
> On Sun,  8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@...e.de> wrote:
> 
> > We've got a bug report indicating a kernel panic at booting on an
> > x86-32 system, and it turned out to be the invalid resource assigned
> > after PCI resource reallocation.  __find_resource() first aligns the
> > resource start address and resets the end address with start+size-1
> > accordingly, then checks whether it's contained.  Here the end address
> > may overflow the integer, although resource_contains() still returns
> > true because the function validates only start and end address.  So
> > this ends up with returning an invalid resource (start > end).
> > 
> > There was already an attempt to cover such a problem in the commit
> > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but
> > this case is an overseen one.
> > 
> > This patch adds the validity check in resource_contains() to see
> > whether the given resource has a valid range for avoiding the integer
> > overflow problem.
> > 
> > ...
> >
> > --- a/include/linux/ioport.h
> > +++ b/include/linux/ioport.h
> > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2)
> >  		return false;
> >  	if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET)
> >  		return false;
> > +	/* sanity check whether it's a valid resource range */
> > +	if (r2->end < r2->start)
> > +		return false;
> >  	return r1->start <= r2->start && r1->end >= r2->end;
> >  }
> 
> This doesn't look like the correct place to handle this?  Clearly .end
> < .start is an invalid state for a resource and we should never have
> constructed such a thing in the first place?  So adding a check at the
> place where this resource was initially created seems to be the correct
> fix?

Yes, that was also my first thought and actually the v1 patch was like
that.  The v2 one was by Ram's suggestion so that we can cover
potential bugs by all other callers as well.

I don't mind in which way to fix; below is the v1 version.
Please choose the one you think better.


Thanks!

Takashi

-- 8< --

From: Takashi Iwai <tiwai@...e.de>
Subject: [PATCH v1] resource: Fix integer overflow at reallocation

We've got a bug report indicating a kernel panic at booting on an
x86-32 system, and it turned out to be the invalid PCI resource
assigned after reallocation.  __find_resource() first aligns the
resource start address and resets the end address with start+size-1
accordingly, then checks whether it's contained.  Here the end address
may overflow the integer, although resource_contains() still returns
true because the function validates only start and end address.  So
this ends up with returning an invalid resource (start > end).

There was already an attempt to cover such a problem in the commit
47ea91b4052d ("Resource: fix wrong resource window calculation"), but
this case is an overseen one.

This patch adds the validity check of the newly calculated resource
for avoiding the integer overflow problem.

Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739
Fixes: 23c570a67448 ("resource: ability to resize an allocated resource")
Reported-and-tested-by: Michael Henders <hendersm@...w.ca>
Cc: <stable@...r.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---

 kernel/resource.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/resource.c b/kernel/resource.c
index e270b5048988..2af6c03858b9 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -651,7 +651,8 @@ static int __find_resource(struct resource *root, struct resource *old,
 			alloc.start = constraint->alignf(constraint->alignf_data, &avail,
 					size, constraint->align);
 			alloc.end = alloc.start + size - 1;
-			if (resource_contains(&avail, &alloc)) {
+			if (alloc.start <= alloc.end &&
+			    resource_contains(&avail, &alloc)) {
 				new->start = alloc.start;
 				new->end = alloc.end;
 				return 0;
-- 
2.16.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ