| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jul 2019 13:16:53 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: Jia-Ju Bai <baijiaju1990@...il.com>
cc: dave.hansen@...ux.intel.com, luto@...nel.org, peterz@...radead.org,
mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86: Fix possible null-pointer dereferences in
untrack_pfn()
On Tue, 23 Jul 2019, Jia-Ju Bai wrote:
> In untrack_pfn(), there is an if statement on line 1058 to check whether
> vma is NULL:
> if (vma && !(vma->vm_flags & VM_PAT))
>
> When vma is NULL, vma is used on line 1064:
> if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr))
> and line 1069:
> size = vma->vm_end - vma->vm_start;
>
> Thus, possible null-pointer dereferences may occur.
>
> To fix these possible bugs, vma is checked on line 1063.
>
> These bugs are found by a static analysis tool STCheck written by us.
In principle you are right, but that's a bit more subtle as the callers can
provide a vma pointer and/or a valid pfn and size.
> diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
> index d9fbd4f69920..717456e7745e 100644
> --- a/arch/x86/mm/pat.c
> +++ b/arch/x86/mm/pat.c
> @@ -1060,7 +1060,7 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn,
>
> /* free the chunk starting from pfn or the whole chunk */
> paddr = (resource_size_t)pfn << PAGE_SHIFT;
> - if (!paddr && !size) {
> + if (vma && !paddr && !size) {
> if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) {
> WARN_ON_ONCE(1);
> return;
So I'd rather have a sanity check in that function which does:
if (WARN_ON_ONCE(!vma && !pfn && !size))
return;
Thanks,
tglx
Powered by blists - more mailing lists