| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220616141525.1790083-1-ytcoode@gmail.com>
Date: Thu, 16 Jun 2022 22:15:25 +0800
From: Yuntao Wang <ytcoode@...il.com>
To: dave.hansen@...el.com
Cc: bhe@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com,
hpa@...or.com, kirill@...temov.name, linux-kernel@...r.kernel.org,
luto@...nel.org, mingo@...hat.com, peterz@...radead.org,
stable@...r.kernel.org, tglx@...utronix.de, x86@...nel.org,
ytcoode@...il.com
Subject: Re: [PATCH] x86/mm: Fix possible index overflow when creating page table mapping
On Thu, 16 Jun 2022 07:02:56 -0700, Dave Hansen wrote:
> On 6/16/22 06:55, Yuntao Wang wrote:
> > There are two issues in phys_p4d_init():
> >
> > - The __kernel_physical_mapping_init() does not do boundary-checking for
> > paddr_end and passes it directly to phys_p4d_init(), phys_p4d_init() does
> > not do bounds checking either, so if the physical memory to be mapped is
> > large enough, 'p4d_page + p4d_index(vaddr)' will wrap around to the
> > beginning entry of the P4D table and its data will be overwritten.
> >
> > - The for loop body will be executed only when 'vaddr < vaddr_end'
> > evaluates to true, but if that condition is true, 'paddr >= paddr_end'
> > will evaluate to false, thus the 'if (paddr >= paddr_end) {}' block will
> > never be executed and become dead code.
>
> Could you explain a bit how you found this? Was this encountered in
> practice and debugged or was it found by inspection?
I found it by inspection.
Powered by blists - more mailing lists