lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200513165540.GA1366700@kroah.com>
Date:   Wed, 13 May 2020 18:55:40 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Hillf Danton <hdanton@...a.com>,
        Thomas Gleixner <tglx@...utronix.de>
Cc:     syzbot <syzbot+353be47c9ce21b68b7ed@...kaller.appspotmail.com>,
        bp@...en8.de, dave.hansen@...ux.intel.com,
        dmitry.torokhov@...il.com, ebiederm@...ssion.com, hpa@...or.com,
        jeremy.linton@....com, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, luto@...nel.org, mingo@...hat.com,
        peterz@...radead.org, stern@...land.harvard.edu,
        syzkaller-bugs@...glegroups.com, x86@...nel.org
Subject: Re: WARNING in memtype_reserve

On Wed, May 13, 2020 at 06:22:58PM +0200, Thomas Gleixner wrote:
> Greg KH <gregkh@...uxfoundation.org> writes:
> > On Sat, May 09, 2020 at 12:00:57PM +0200, Thomas Gleixner wrote:
> >> Greg KH <gregkh@...uxfoundation.org> writes:
> >> > On Sat, May 09, 2020 at 12:20:14AM -0700, syzbot wrote:
> >> >> memtype_reserve failed: [mem 0xffffffffff000-0x00008fff], req write-back
> >> >> WARNING: CPU: 1 PID: 7025 at arch/x86/mm/pat/memtype.c:589 memtype_reserve+0x69f/0x820 arch/x86/mm/pat/memtype.c:589
> >> >
> >> > So should memtype_reserve() not do a WARN if given invalid parameters as
> >> > it can be triggered by userspace requests?
> >> >
> >> > A normal "invalid request" debug line is probably all that is needed,
> >> > right?
> >> 
> >> I disagree. The callsite espcially if user space triggerable should not
> >> attempt to ask for a reservation where start > end:
> >> 
> >>   >> memtype_reserve failed: [mem 0xffffffffff000-0x00008fff], req write-back
> >> 
> >> The real question is which part of the call chain is responsible for
> >> this. That needs to be fixed.
> >
> > This is caused by 2bef9aed6f0e ("usb: usbfs: correct kernel->user page
> > attribute mismatch") which changed a call to remap_pfn_range() to
> > dma_mmap_coherent().  Looks like the error checking in remap_pfn_range()
> > handled the invalid options better than dma_mma_coherent() when odd
> > values are passed in.
> >
> > We can add the check to dma_mmap_coherent(), again, but really, this
> > type of check should probably only be needed in one place to ensure we
> > always get it correct, right?
> 
> That might be correct for this particular call chain, but this check
> really is the last defense before stuff goes down the drain. None of the
> last line functions should ever be reached with crappy arguments.

Looking at the other callers of dma_mmap_coherent(), it looks like this
needs to be done in that function, as other drivers are passing in "raw"
data as well.  So Hillf's patch is probably the best one.

Hillf, can you resend it in a format we can apply it in and have syzbot
test?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ