| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Aug 2021 18:22:08 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: "David E. Box" <david.e.box@...ux.intel.com>,
irenic.rajneesh@...il.com, novikov@...ras.ru,
gayatri.kammela@...el.com, hdegoede@...hat.com,
mgross@...ux.intel.com, andy.shevchenko@...il.com
Cc: platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] platform/x86: intel_pmc_core: Prevent possibile
overflow
On 8/13/21 6:47 PM, David E. Box wrote:
> Substate priority levels are encoded in 4 bits in the LPM_PRI register.
> This value was used as an index to an array whose element size was less
> than 16, leading to the possibility of overflow should we read a larger
> than expected priority. In addition to the overflow, bad values could lead
> to incorrect state reporting. So rework the priority code to prevent the
> overflow and perform some validation of the register. Use the priority
> register values if they give an ordering of unique numbers between 0 and
> the maximum number of states. Otherwise, use a default ordering instead.
>
> Reported-by: Evgeny Novikov <novikov@...ras.ru>
> Signed-off-by: David E. Box <david.e.box@...ux.intel.com>
> ---
> v3: Modifying Andy's suggestion, just place the entire verification
> in a separate function. If it fails, then keep the default
> ordering. If it passes, overwrite with the verified ordering.
>
> Fix error in default order array.
>
> Also fix spelling noted by Andy drop the size comment since
> the array size is set when declared.
>
> v2: Remove lpm_priority size increase. Instead, remove that array and
> create 2 new local arrays, one to save priority levels in mode order,
> and one to save modes in priority order. Use the mode_order list to
> validate that no priority level is above the maximum and to validate
> that they are all unique values. Then we can safely create a
> priority_order list that will be the basis of how we report substate
> information.
>
> drivers/platform/x86/intel_pmc_core.c | 65 +++++++++++++++++++++------
> drivers/platform/x86/intel_pmc_core.h | 2 +
> 2 files changed, 53 insertions(+), 14 deletions(-)
Hi,
I was seeing this:
[ 2.027295] ================================================================================
[ 2.028593] UBSAN: shift-out-of-bounds in ../drivers/platform/x86/intel_pmc_core.c:1484:9
[ 2.029683] shift exponent 255 is too large for 64-bit type 'long unsigned int'
[ 2.030775] CPU: 11 PID: 312 Comm: systemd-udevd Tainted: G U W 5.14.0-rc6 #3 7cd0fa64f79977022e75f1a75abe17c80d128fc2
[ 2.032485] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./H470M-STX, BIOS P2.10 03/16/2021
[ 2.034325] Call Trace:
[ 2.040611] dump_stack_lvl+0x38/0x49
[ 2.042513] dump_stack+0x10/0x12
[ 2.044438] ubsan_epilogue+0x9/0x80
[ 2.048462] __ubsan_handle_shift_out_of_bounds+0xfa/0x140
[ 2.050430] ? __ioremap_caller.constprop.18+0x1e9/0x380
[ 2.054850] pmc_core_probe+0x5cc/0x700 [intel_pmc_core 0d273a9f7ee2dddcef3fc0b98322787b4774a615]
[ 2.055856] snd_hda_intel 0000:00:1f.3: azx_get_response timeout, switching to polling mode: last cmd=0x200f0000
[ 2.056248] ? pmc_core_probe+0x5cc/0x700 [intel_pmc_core 0d273a9f7ee2dddcef3fc0b98322787b4774a615]
[ 2.059664] ? __cond_resched+0x19/0x40
[ 2.065564] ? acpi_device_wakeup_disable+0x50/0x80
[ 2.067391] platform_probe+0x49/0x100
[ 2.068684] ? platform_probe+0x49/0x100
[ 2.069942] ? driver_sysfs_add+0x7a/0x100
[ 2.071181] really_probe+0x1f4/0x4c0
[ 2.072413] __driver_probe_device+0x11d/0x1c0
[ 2.073642] driver_probe_device+0x24/0xc0
[ 2.074857] __driver_attach+0xae/0x180
[ 2.076055] ? __device_attach_driver+0x180/0x180
[ 2.077247] ? __device_attach_driver+0x180/0x180
[ 2.078454] bus_for_each_dev+0x72/0xc0
[ 2.079646] driver_attach+0x1e/0x40
[ 2.080824] bus_add_driver+0x156/0x240
[ 2.082011] ? 0xffffffffc0119000
[ 2.083184] driver_register+0x60/0x100
[ 2.084331] ? 0xffffffffc0119000
[ 2.085474] __platform_driver_register+0x1e/0x40
[ 2.086612] pmc_core_driver_init+0x1c/0x1000 [intel_pmc_core 0d273a9f7ee2dddcef3fc0b98322787b4774a615]
[ 2.087776] do_one_initcall+0x43/0x200
[ 2.088927] ? kmem_cache_alloc_trace+0x4e/0x500
[ 2.090078] ? __vunmap+0x1c9/0x240
[ 2.091223] do_init_module+0x5f/0x235
[ 2.092350] load_module+0x29d0/0x2e80
[ 2.093476] ? kernel_read_file+0x2d2/0x300
[ 2.094589] __do_sys_finit_module+0xbe/0x140
[ 2.095702] ? __do_sys_finit_module+0xbe/0x140
[ 2.096789] __x64_sys_finit_module+0x1a/0x40
[ 2.097880] do_syscall_64+0x58/0x80
[ 2.098971] ? syscall_exit_to_user_mode+0x16/0x40
[ 2.100064] ? do_syscall_64+0x67/0x80
[ 2.101140] ? exit_to_user_mode_prepare+0x138/0x1c0
[ 2.102213] ? syscall_exit_to_user_mode+0x16/0x40
[ 2.103278] ? do_syscall_64+0x67/0x80
[ 2.104343] ? exc_page_fault+0x6d/0x140
[ 2.105391] ? asm_exc_page_fault+0x8/0x30
[ 2.106429] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2.107470] RIP: 0033:0x7f1638f19569
[ 2.108506] Code: 2d 00 b8 ca 00 00 00 0f 05 eb a5 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f7 38 2d 00 f7 d8 64 89 01 48
[ 2.109585] RSP: 002b:00007fff1d6c7758 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 2.110677] RAX: ffffffffffffffda RBX: 000055d99d2f0780 RCX: 00007f1638f19569
[ 2.111757] RDX: 0000000000000000 RSI: 00007f163987ff9d RDI: 0000000000000006
[ 2.112841] RBP: 00007f163987ff9d R08: 0000000000000000 R09: 000055d99d0c1940
[ 2.113916] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000020000
[ 2.115347] R13: 000055d99d0c1d20 R14: 0000000000000000 R15: 000055d99d0c8610
[ 2.116470] ================================================================================
and couldn't tell if this patch was supposed to fix that, so I tested it and I no longer
see the UBSAN report.
So Thanks and
Tested-by: Randy Dunlap <rdunlap@...radead.org>
--
~Randy
Powered by blists - more mailing lists