| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200923043459.GL795820@optiplex-lnx>
Date: Wed, 23 Sep 2020 00:34:59 -0400
From: Rafael Aquini <aquini@...hat.com>
To: "Huang, Ying" <ying.huang@...el.com>
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
akpm@...ux-foundation.org
Subject: Re: [PATCH] mm: swapfile: avoid split_swap_cluster() NULL pointer
dereference
On Wed, Sep 23, 2020 at 10:21:36AM +0800, Huang, Ying wrote:
> Hi, Rafael,
>
> Rafael Aquini <aquini@...hat.com> writes:
>
> > The swap area descriptor only gets struct swap_cluster_info *cluster_info
> > allocated if the swapfile is backed by non-rotational storage.
> > When the swap area is laid on top of ordinary disk spindles, lock_cluster()
> > will naturally return NULL.
>
> Thanks for reporting. But the bug looks strange. Because in a system
> with only HDD swap devices, during THP swap out, the swap cluster
> shouldn't be allocated, as in
>
> shrink_page_list()
> add_to_swap()
> get_swap_page()
> get_swap_pages()
> swap_alloc_cluster()
>
The underlying problem is that swap_info_struct.cluster_info is always NULL
on the rotational storage case. So, it's very easy to follow that constructions
like this one, in split_swap_cluster
...
ci = lock_cluster(si, offset);
cluster_clear_huge(ci);
...
will go for a NULL pointer dereference, in that case, given that lock_cluster
reads:
...
struct swap_cluster_info *ci;
ci = si->cluster_info;
if (ci) {
ci += offset / SWAPFILE_CLUSTER;
spin_lock(&ci->lock);
}
return ci;
...
Powered by blists - more mailing lists