| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190416232833.GA17372@agluck-desk>
Date: Tue, 16 Apr 2019 16:28:33 -0700
From: "Luck, Tony" <tony.luck@...el.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: Borislav Petkov <bp@...en8.de>,
LKML <linux-kernel@...r.kernel.org>, linux-edac@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem()
On Tue, Apr 16, 2019 at 04:18:57PM -0700, Cong Wang wrote:
> > The problem case occurs when we've seen enough distinct
> > errors that we have filled every entry, then we try to
> > look up a pfn that is larger that any seen before.
> >
> > The loop:
> >
> > while (min < max) {
> > ...
> > }
> >
> > will terminate with "min" set to MAX_ELEMS. Then we
> > execute:
> >
> > this_pfn = PFN(ca->array[min]);
> >
> > which references beyond the end of the space allocated
> > for ca->array.
>
> Exactly.
Hmmm. But can we ever really have this happen? The call
sequence to get here looks like:
mutex_lock(&ce_mutex);
if (ca->n == MAX_ELEMS)
WARN_ON(!del_lru_elem_unlocked(ca));
ret = find_elem(ca, pfn, &to);
I.e. if the array was all the way full, we delete one element
before calling find_elem(). So when we get here:
static int __find_elem(struct ce_array *ca, u64 pfn, unsigned int *to)
{
u64 this_pfn;
int min = 0, max = ca->n;
The biggest value "max" can have is MAX_ELEMS-1
-Tony
Powered by blists - more mailing lists