| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jul 2023 12:27:15 -0700
From: Yury Norov <yury.norov@...il.com>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc: Alexander Potapenko <glider@...gle.com>, catalin.marinas@....com,
will@...nel.org, pcc@...gle.com, andreyknvl@...il.com,
linux@...musvillemoes.dk, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, eugenis@...gle.com
Subject: Re: [v2 3/5] arm64: mte: implement CONFIG_ARM64_MTE_COMP
> > + bitmap_set_value_unaligned((unsigned long *)buf, largest_idx,
> > + bit_pos, 4);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, largest_idx,
> > + bit_pos, 6);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, tags[i],
> > + bit_pos, 4);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, 0, bit_pos, 4);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, sizes[i],
> > + bit_pos, 7);
>
> > + largest_idx = bitmap_get_value_unaligned((unsigned long *)buf, bit_pos,
> > + l_bits);
>
> > + r_tags[i] = bitmap_get_value_unaligned((unsigned long *)buf,
> > + bit_pos, 4);
>
> > + r_sizes[i] = bitmap_get_value_unaligned((unsigned long *)buf,
> > + bit_pos, 7);
>
> These castings is a red flag. bitmap API shouldn't be used like this. Something
> is not okay here.
Big-endian arches are not OK. Out-of-boundary access is not OK when
the buf is not exactly a multiple of words.
> > +void ea0_release_handle(u64 handle)
> > +{
> > + void *storage = ea0_storage(handle);
> > + int size = ea0_storage_size(handle);
> > + struct kmem_cache *c;
>
> > + if (!handle || !storage)
> > + return;
>
> You use handle before this check. Haven't you run static analysers?
This approach is called 'defensive programming' as I learned from
previous iteration. Another interesting thing is that the only caller
of the function in patch #5 explicitly checks the handle for NULL, so
we're surely double-defensed here.
+void _mte_free_saved_tags(void *storage)
+{
+ unsigned long handle = xa_to_value(storage);
+ int size;
+
+ if (!handle)
+ return;
+ size = ea0_storage_size(handle);
+ ea0_release_handle(handle);
+}
_mte_free_saved_tags() calculates size, but doesn't use it in any form,
just to calculate it again in callee...
Thanks,
Yury
Powered by blists - more mailing lists