lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 13 Jul 2022 08:02:41 +0800
From:   Baolu Lu <baolu.lu@...ux.intel.com>
To:     Yury Norov <yury.norov@...il.com>,
        Alexander Lobakin <alexandr.lobakin@...el.com>
Cc:     baolu.lu@...ux.intel.com, David Woodhouse <dwmw2@...radead.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>,
        Suresh Siddha <suresh.b.siddha@...el.com>,
        kernel test robot <oliver.sang@...el.com>,
        iommu@...ts.linux.dev, stable@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iommu/vt-d: avoid invalid memory access via
 node_online(NUMA_NO_NODE)

On 2022/7/12 23:54, Yury Norov wrote:
> On Tue, Jul 12, 2022 at 8:45 AM Alexander Lobakin
> <alexandr.lobakin@...el.com> wrote:
>>
>> From: Alexander Lobakin <alexandr.lobakin@...el.com>
>> Date: Tue, 12 Jul 2022 17:38:36 +0200
>>
>>> KASAN reports:
>>>
>>> [ 4.668325][ T0] BUG: KASAN: wild-memory-access in dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497)
>>> [    4.676149][    T0] Read of size 8 at addr 1fffffff85115558 by task swapper/0/0
>>> [    4.683454][    T0]
>>> [    4.685638][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc3-00004-g0e862838f290 #1
>>> [    4.694331][    T0] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016
>>> [    4.703196][    T0] Call Trace:
>>> [    4.706334][    T0]  <TASK>
>>> [ 4.709133][ T0] ? dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497)
>>>
>>> after converting the type of the first argument (@nr, bit number)
>>> of arch_test_bit() from `long` to `unsigned long`[0].
>>>
>>> Under certain conditions (for example, when ACPI NUMA is disabled
>>> via command line), pxm_to_node() can return %NUMA_NO_NODE (-1).
>>> It is valid 'magic' number of NUMA node, but not valid bit number
>>> to use in bitops.
>>> node_online() eventually descends to test_bit() without checking
>>> for the input, assuming it's on caller side (which might be good
>>> for perf-critical tasks). There, -1 becomes %ULONG_MAX which leads
>>> to an insane array index when calculating bit position in memory.
>>>
>>> For now, add an explicit check for @node being not %NUMA_NO_NODE
>>> before calling test_bit(). The actual logics didn't change here
>>> at all.
>>
>> Bah, forgot to insert the link here. Hope not worth resending ._.
>>
>> [0] https://github.com/norov/linux/commit/0e862838f290147ea9c16db852d8d494b552d38d
> 
> I'll add this link and apply the patch to the bitmap-for-next, after
> some testing.

Thank you!

Reviewed-by: Lu Baolu <baolu.lu@...ux.intel.com>

Best regards,
baolu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ