| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3e754cf7-35f8-0163-a24a-063fa3d96718@intel.com>
Date: Thu, 16 Jun 2022 07:02:56 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Yuntao Wang <ytcoode@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>
Cc: "H. Peter Anvin" <hpa@...or.com>, Baoquan He <bhe@...hat.com>,
"Kirill A. Shutemov" <kirill@...temov.name>, x86@...nel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] x86/mm: Fix possible index overflow when creating page
table mapping
On 6/16/22 06:55, Yuntao Wang wrote:
> There are two issues in phys_p4d_init():
>
> - The __kernel_physical_mapping_init() does not do boundary-checking for
> paddr_end and passes it directly to phys_p4d_init(), phys_p4d_init() does
> not do bounds checking either, so if the physical memory to be mapped is
> large enough, 'p4d_page + p4d_index(vaddr)' will wrap around to the
> beginning entry of the P4D table and its data will be overwritten.
>
> - The for loop body will be executed only when 'vaddr < vaddr_end'
> evaluates to true, but if that condition is true, 'paddr >= paddr_end'
> will evaluate to false, thus the 'if (paddr >= paddr_end) {}' block will
> never be executed and become dead code.
Could you explain a bit how you found this? Was this encountered in
practice and debugged or was it found by inspection?
Powered by blists - more mailing lists