| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2022 07:20:40 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Yuntao Wang <ytcoode@...il.com>
Cc: bhe@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com,
hpa@...or.com, kirill@...temov.name, linux-kernel@...r.kernel.org,
luto@...nel.org, mingo@...hat.com, peterz@...radead.org,
stable@...r.kernel.org, tglx@...utronix.de, x86@...nel.org
Subject: Re: [PATCH] x86/mm: Fix possible index overflow when creating page
table mapping
On 6/16/22 07:15, Yuntao Wang wrote:
> On Thu, 16 Jun 2022 07:02:56 -0700, Dave Hansen wrote:
>> On 6/16/22 06:55, Yuntao Wang wrote:
>>> There are two issues in phys_p4d_init():
>>>
>>> - The __kernel_physical_mapping_init() does not do boundary-checking for
>>> paddr_end and passes it directly to phys_p4d_init(), phys_p4d_init() does
>>> not do bounds checking either, so if the physical memory to be mapped is
>>> large enough, 'p4d_page + p4d_index(vaddr)' will wrap around to the
>>> beginning entry of the P4D table and its data will be overwritten.
>>>
>>> - The for loop body will be executed only when 'vaddr < vaddr_end'
>>> evaluates to true, but if that condition is true, 'paddr >= paddr_end'
>>> will evaluate to false, thus the 'if (paddr >= paddr_end) {}' block will
>>> never be executed and become dead code.
>> Could you explain a bit how you found this? Was this encountered in
>> practice and debugged or was it found by inspection?
> I found it by inspection.
Dare I ask how this was tested?
Powered by blists - more mailing lists