lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.21.1907241309420.1791@nanos.tec.linutronix.de>
Date:   Wed, 24 Jul 2019 13:16:53 +0200 (CEST)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Jia-Ju Bai <baijiaju1990@...il.com>
cc:     dave.hansen@...ux.intel.com, luto@...nel.org, peterz@...radead.org,
        mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86: Fix possible null-pointer dereferences in
 untrack_pfn()

On Tue, 23 Jul 2019, Jia-Ju Bai wrote:

> In untrack_pfn(), there is an if statement on line 1058 to check whether
> vma is NULL:
>     if (vma && !(vma->vm_flags & VM_PAT))
> 
> When vma is NULL, vma is used on line 1064:
>     if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr))
> and line 1069:
>     size = vma->vm_end - vma->vm_start;
> 
> Thus, possible null-pointer dereferences may occur.
> 
> To fix these possible bugs, vma is checked on line 1063.
> 
> These bugs are found by a static analysis tool STCheck written by us.

In principle you are right, but that's a bit more subtle as the callers can
provide a vma pointer and/or a valid pfn and size.

> diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
> index d9fbd4f69920..717456e7745e 100644
> --- a/arch/x86/mm/pat.c
> +++ b/arch/x86/mm/pat.c
> @@ -1060,7 +1060,7 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn,
>  
>  	/* free the chunk starting from pfn or the whole chunk */
>  	paddr = (resource_size_t)pfn << PAGE_SHIFT;
> -	if (!paddr && !size) {
> +	if (vma && !paddr && !size) {
>  		if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) {
>  			WARN_ON_ONCE(1);
>  			return;

So I'd rather have a sanity check in that function which does:

	if (WARN_ON_ONCE(!vma && !pfn && !size))
		return;

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ