lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <18ae685b655c6c9334cb80bb32e6b4a1b423b0ae.1717154083.git.namcao@linutronix.de>
Date: Fri, 31 May 2024 13:18:59 +0200
From: Nam Cao <namcao@...utronix.de>
To: Bjorn Helgaas <bhelgaas@...gle.com>,
	Rob Herring <robh@...nel.org>,
	Lizhi Hou <lizhi.hou@....com>,
	linux-pci@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Lukas Wunner <lukas@...ner.de>,
	Nam Cao <namcao@...utronix.de>,
	stable@...r.kernel.org
Subject: [PATCH 1/2] PCI: of_property: Fix NULL pointer defererence in of_pci_prop_bus_range()

The subordinate pointer can be null if we are out of bus number. The
function of_pci_prop_bus_range() deferences this pointer without checking
and may crashes the kernel.

This crash can be reproduced by starting a QEMU instance:
    qemu-system-riscv64 -machine virt \
    -kernel ../build-pci-riscv/arch/riscv/boot/Image \
    -append "console=ttyS0 root=/dev/vda" \
    -nographic \
    -drive "file=root.img,format=raw,id=hd0" \
    -device virtio-blk-device,drive=hd0 \
    -device pcie-root-port,bus=pcie.0,slot=1,id=rp1,bus-reserve=0 \
    -device pcie-pci-bridge,id=br1,bus=rp1

Then hot-add a bridge with
    device_add pci-bridge,id=br2,bus=br1,chassis_nr=1,addr=1

Then the kernel crashes:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
    [snip]
[<ffffffff804db234>] of_pci_add_properties+0x34c/0x3c6
[<ffffffff804c8228>] of_pci_make_dev_node+0xb6/0x116
[<ffffffff804a6b72>] pci_bus_add_device+0xa8/0xaa
[<ffffffff804a6ba4>] pci_bus_add_devices+0x30/0x6a
[<ffffffff804d3b5c>] shpchp_configure_device+0xa0/0x112
[<ffffffff804d2b3a>] board_added+0xce/0x354
[<ffffffff804d2e9a>] shpchp_enable_slot+0xda/0x30c
[<ffffffff804d336c>] shpchp_pushbutton_thread+0x84/0xa0

NULL check this pointer first before proceeding.

Fixes: 407d1a51921e ("PCI: Create device tree node for bridge")
Signed-off-by: Nam Cao <namcao@...utronix.de>
Cc: stable@...r.kernel.org
---
 drivers/pci/of_property.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/of_property.c b/drivers/pci/of_property.c
index c2c7334152bc..5fb516807ba2 100644
--- a/drivers/pci/of_property.c
+++ b/drivers/pci/of_property.c
@@ -91,6 +91,9 @@ static int of_pci_prop_bus_range(struct pci_dev *pdev,
 				 struct of_changeset *ocs,
 				 struct device_node *np)
 {
+	if (!pdev->subordinate)
+		return 0;
+
 	u32 bus_range[] = { pdev->subordinate->busn_res.start,
 			    pdev->subordinate->busn_res.end };
 
-- 
2.39.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ