lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 12 Jul 2022 08:54:58 -0700
From:   Yury Norov <yury.norov@...il.com>
To:     Alexander Lobakin <alexandr.lobakin@...el.com>
Cc:     David Woodhouse <dwmw2@...radead.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        Lu Baolu <baolu.lu@...ux.intel.com>,
        Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>,
        Suresh Siddha <suresh.b.siddha@...el.com>,
        kernel test robot <oliver.sang@...el.com>,
        iommu@...ts.linux.dev, stable@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE)

On Tue, Jul 12, 2022 at 8:45 AM Alexander Lobakin
<alexandr.lobakin@...el.com> wrote:
>
> From: Alexander Lobakin <alexandr.lobakin@...el.com>
> Date: Tue, 12 Jul 2022 17:38:36 +0200
>
> > KASAN reports:
> >
> > [ 4.668325][ T0] BUG: KASAN: wild-memory-access in dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497)
> > [    4.676149][    T0] Read of size 8 at addr 1fffffff85115558 by task swapper/0/0
> > [    4.683454][    T0]
> > [    4.685638][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc3-00004-g0e862838f290 #1
> > [    4.694331][    T0] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016
> > [    4.703196][    T0] Call Trace:
> > [    4.706334][    T0]  <TASK>
> > [ 4.709133][ T0] ? dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497)
> >
> > after converting the type of the first argument (@nr, bit number)
> > of arch_test_bit() from `long` to `unsigned long`[0].
> >
> > Under certain conditions (for example, when ACPI NUMA is disabled
> > via command line), pxm_to_node() can return %NUMA_NO_NODE (-1).
> > It is valid 'magic' number of NUMA node, but not valid bit number
> > to use in bitops.
> > node_online() eventually descends to test_bit() without checking
> > for the input, assuming it's on caller side (which might be good
> > for perf-critical tasks). There, -1 becomes %ULONG_MAX which leads
> > to an insane array index when calculating bit position in memory.
> >
> > For now, add an explicit check for @node being not %NUMA_NO_NODE
> > before calling test_bit(). The actual logics didn't change here
> > at all.
>
> Bah, forgot to insert the link here. Hope not worth resending ._.
>
> [0] https://github.com/norov/linux/commit/0e862838f290147ea9c16db852d8d494b552d38d

I'll add this link and apply the patch to the bitmap-for-next, after
some testing.

Thanks,
Yury

Powered by blists - more mailing lists