lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 17 Jun 2022 14:38:55 +0800
From:   Yuntao Wang <ytcoode@...il.com>
To:     dave.hansen@...el.com
Cc:     bhe@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com,
        hpa@...or.com, kirill@...temov.name, linux-kernel@...r.kernel.org,
        luto@...nel.org, mingo@...hat.com, peterz@...radead.org,
        stable@...r.kernel.org, tglx@...utronix.de, x86@...nel.org,
        ytcoode@...il.com
Subject: Re: [PATCH] x86/mm: Fix possible index overflow when creating page table mapping

On Thu, 16 Jun 2022 07:20:40 -0700, Dave Hansen wrote:
> On 6/16/22 07:15, Yuntao Wang wrote:
> > On Thu, 16 Jun 2022 07:02:56 -0700, Dave Hansen wrote:
> >> On 6/16/22 06:55, Yuntao Wang wrote:
> >>> There are two issues in phys_p4d_init():
> >>>
> >>> - The __kernel_physical_mapping_init() does not do boundary-checking for
> >>>   paddr_end and passes it directly to phys_p4d_init(), phys_p4d_init() does
> >>>   not do bounds checking either, so if the physical memory to be mapped is
> >>>   large enough, 'p4d_page + p4d_index(vaddr)' will wrap around to the
> >>>   beginning entry of the P4D table and its data will be overwritten.
> >>>
> >>> - The for loop body will be executed only when 'vaddr < vaddr_end'
> >>>   evaluates to true, but if that condition is true, 'paddr >= paddr_end'
> >>>   will evaluate to false, thus the 'if (paddr >= paddr_end) {}' block will
> >>>   never be executed and become dead code.
> >> Could you explain a bit how you found this?  Was this encountered in
> >> practice and debugged or was it found by inspection?
> > I found it by inspection.
>
> Dare I ask how this was tested?

Due to some limitations, I didn't test the changes thoroughly, I just built
the kernel and booted it in QEMU.

Considering that the patch was not fully tested, I spent a lot of time
reviewing the code I changed and tried my best to make it correct.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ