lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2022 22:15:25 +0800 From: Yuntao Wang <ytcoode@...il.com> To: dave.hansen@...el.com Cc: bhe@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, hpa@...or.com, kirill@...temov.name, linux-kernel@...r.kernel.org, luto@...nel.org, mingo@...hat.com, peterz@...radead.org, stable@...r.kernel.org, tglx@...utronix.de, x86@...nel.org, ytcoode@...il.com Subject: Re: [PATCH] x86/mm: Fix possible index overflow when creating page table mapping On Thu, 16 Jun 2022 07:02:56 -0700, Dave Hansen wrote: > On 6/16/22 06:55, Yuntao Wang wrote: > > There are two issues in phys_p4d_init(): > > > > - The __kernel_physical_mapping_init() does not do boundary-checking for > > paddr_end and passes it directly to phys_p4d_init(), phys_p4d_init() does > > not do bounds checking either, so if the physical memory to be mapped is > > large enough, 'p4d_page + p4d_index(vaddr)' will wrap around to the > > beginning entry of the P4D table and its data will be overwritten. > > > > - The for loop body will be executed only when 'vaddr < vaddr_end' > > evaluates to true, but if that condition is true, 'paddr >= paddr_end' > > will evaluate to false, thus the 'if (paddr >= paddr_end) {}' block will > > never be executed and become dead code. > > Could you explain a bit how you found this? Was this encountered in > practice and debugged or was it found by inspection? I found it by inspection.
Powered by blists - more mailing lists