lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAJZ5v0jsmshYESk2KX0SiUZKZTaNyrNqVy=GxMK4DkN3j6yPZw@mail.gmail.com>
Date:   Fri, 17 Mar 2023 18:45:48 +0100
From:   "Rafael J. Wysocki" <rafael@...nel.org>
To:     Alexander Sapozhnikov <alsp705@...il.com>
Cc:     "Rafael J. Wysocki" <rafael@...nel.org>,
        Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>, linux-pm@...r.kernel.org,
        linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] arch/x86/kernel/acpi/boot: fix buffer overflow on
 negative index in mp_config_acpi_gsi()

On Fri, Feb 17, 2023 at 2:17 PM Alexander Sapozhnikov <alsp705@...il.com> wrote:
>
> Variable 'ioapic', which may receive negative value by calling
> function 'mp_find_ioapic' at boot.c:465, is used at
> io_apic.c:128 by passing as 1st parameter to function 'mpc_ioapic_id'
> at boot.c:466

And that function uses the given value for array indexing without
checking it, right?

I would rather call this "out of bounds access"

> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Alexander Sapozhnikov <alsp705@...il.com>
> ---
>  arch/x86/kernel/acpi/boot.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
> index 907cc98b1938..abb78822f164 100644
> --- a/arch/x86/kernel/acpi/boot.c
> +++ b/arch/x86/kernel/acpi/boot.c
> @@ -463,8 +463,10 @@ static void mp_config_acpi_gsi(struct device *dev, u32 gsi, int trigger,
>         mp_irq.srcbus = number;
>         mp_irq.srcbusirq = (((devfn >> 3) & 0x1f) << 2) | ((pin - 1) & 3);
>         ioapic = mp_find_ioapic(gsi);
> -       mp_irq.dstapic = mpc_ioapic_id(ioapic);
> -       mp_irq.dstirq = mp_find_ioapic_pin(ioapic, gsi);
> +       if (ioapic >= 0) {
> +               mp_irq.dstapic = mpc_ioapic_id(ioapic);
> +               mp_irq.dstirq = mp_find_ioapic_pin(ioapic, gsi);
> +       }
>
>         mp_save_irq(&mp_irq);

Is it still valid to call this if ioapic is negative?

>  #endif
> --
> 2.34.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ