lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <mhng-3252ea0a-bbbb-4024-ae06-cf2212aaa466@palmerdabbelt-glaptop>
Date:   Tue, 16 Mar 2021 21:53:05 -0700 (PDT)
From:   Palmer Dabbelt <palmer@...belt.com>
To:     geert@...ux-m68k.org
CC:     Paul Walmsley <paul.walmsley@...ive.com>, aou@...s.berkeley.edu,
        Atish Patra <Atish.Patra@....com>,
        linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
        geert@...ux-m68k.org
Subject:     Re: [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources()

On Fri, 12 Mar 2021 07:46:34 PST (-0800), geert@...ux-m68k.org wrote:
> init_resources() allocates an array of resources, based on the current
> total number of memory regions and reserved memory regions.  However,
> allocating this array using memblock_alloc() might increase the number
> of reserved memory regions.  If that happens, populating the array later
> based on the new number of regions will cause out-of-bounds writes
> beyond the end of the allocated array.
>
> Fix this by allocating one more entry, which may or may not be used.
>
> Fixes: 797f0375dd2ef5cd ("RISC-V: Do not allocate memblock while iterating reserved memblocks")
> Signed-off-by: Geert Uytterhoeven <geert@...ux-m68k.org>
> ---
> Tested on vexriscv, which works now using L1_CACHE_SHIFT = 6, too.
>
> This issue may show up during early boot as:
>
>     Unable to handle kernel paging request at virtual address c8000008
>     Oops [#1]
>     CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0-orangecrab-00023-g7c4fc8e3e982-dirty #137
>     epc: c04d6660 ra : c04d6560 sp : c05ddf70
>      gp : c0678bc0 tp : c05e5b40 t0 : c8000000
>      t1 : 00030000 t2 : ffffffff s0 : c05ddfc0
>      s1 : c8000000 a0 : 00000000 a1 : c7ffffe0
>      a2 : 00000005 a3 : 00000001 a4 : 0000000c
>      a5 : 00000000 a6 : c04fe000 a7 : 0000000c
>      s2 : c04fe098 s3 : 000000a0 s4 : c7ffff60
>      s5 : c04fe0dc s6 : 80000200 s7 : c059f1d4
>      s8 : 81000200 s9 : c059f1f0 s10: 80000200
>      s11: c059f1d4 t3 : 405dbb60 t4 : c05e6f08
>      t5 : 81000200 t6 : 40501000
>     status: 00000100 badaddr: c8000008 cause: 0000000f
>     random: get_random_bytes called from print_oops_end_marker+0x38/0x7c with crng_init=0
>     ---[ end trace 0000000000000000 ]---
>
> or much later as:
>
>     Unable to handle kernel paging request at virtual address 69726573
> ---
>  arch/riscv/kernel/setup.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
> index e85bacff1b5075ee..f8f15332caa20263 100644
> --- a/arch/riscv/kernel/setup.c
> +++ b/arch/riscv/kernel/setup.c
> @@ -147,7 +147,8 @@ static void __init init_resources(void)
>  	bss_res.end = __pa_symbol(__bss_stop) - 1;
>  	bss_res.flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY;
>
> -	mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt) * sizeof(*mem_res);
> +	/* + 1 as memblock_alloc() might increase memblock.reserved.cnt */
> +	mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt + 1) * sizeof(*mem_res);
>  	mem_res = memblock_alloc(mem_res_sz, SMP_CACHE_BYTES);
>  	if (!mem_res)
>  		panic("%s: Failed to allocate %zu bytes\n", __func__, mem_res_sz);

Thanks, this is on fixes.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ