lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 21 Jun 2024 15:50:45 +0800
From: Lingyue <lingyue@...omi.com>
To: <catalin.marinas@....com>, <will@...nel.org>, <mark.rutland@....com>,
	<dianders@...omium.org>, <swboyd@...omium.org>, <frederic@...nel.org>,
	<james.morse@....com>, <scott@...amperecomputing.com>,
	<linux-arm-kernel@...ts.infradead.org>, <linux-kernel@...r.kernel.org>
CC: <huangshaobo3@...omi.com>, <huangjun7@...omi.com>, Lingyue
	<lingyue@...omi.com>
Subject: [PATCH] arm64: smp: do not allocate CPU IDs to invalid CPU nodes

Many modules, such as arch topology, rely on num_possible_cpus() to
allocate memory and then access the allocated space using CPU IDs.
These modules assume that there are no gaps in cpu_possible_mask.
However, in of_parse_and_init_cpus(), CPU IDs are still allocated
for invalid CPU nodes, leading to gaps in cpu_possible_mask and
resulting in out-of-bounds memory access. So it is crucial to avoid
allocating CPU IDs to invalid CPU nodes.

This issue can be reproduced easily on QEMU with KASAN enabled, by
modifing reg property of a CPU node to 0xFFFFFFFF

[    0.197756] BUG: KASAN: slab-out-of-bounds in topology_normalize_cpu_scale.part.0+0x2cc/0x34c
[    0.199518] Read of size 4 at addr ffff000007ebe924 by task swapper/0/1
[    0.200087]
[    0.200739] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc4 #3
[    0.201647] Hardware name: linux,dummy-virt (DT)
[    0.203067] Call trace:
[    0.203404]  dump_backtrace+0x90/0xe8
[    0.203974]  show_stack+0x18/0x24
[    0.204424]  dump_stack_lvl+0x78/0x90
[    0.205090]  print_report+0x114/0x5cc
[    0.205908]  kasan_report+0xa4/0xf0
[    0.206488]  __asan_report_load4_noabort+0x20/0x2c
[    0.207427]  topology_normalize_cpu_scale.part.0+0x2cc/0x34c
[    0.208275]  init_cpu_topology+0x254/0x430
[    0.209518]  smp_prepare_cpus+0x20/0x25c
[    0.210824]  kernel_init_freeable+0x1dc/0x4fc
[    0.212047]  kernel_init+0x24/0x1ec
[    0.213143]  ret_from_fork+0x10/0x20

Signed-off-by: Lingyue <lingyue@...omi.com>
---
 arch/arm64/kernel/smp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
index 31c8b3094dd7..5b4178145920 100644
--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -638,12 +638,12 @@ static void __init of_parse_and_init_cpus(void)
 		u64 hwid = of_get_cpu_hwid(dn, 0);
 
 		if (hwid & ~MPIDR_HWID_BITMASK)
-			goto next;
+			continue;
 
 		if (is_mpidr_duplicate(cpu_count, hwid)) {
 			pr_err("%pOF: duplicate cpu reg properties in the DT\n",
 				dn);
-			goto next;
+			continue;
 		}
 
 		/*
@@ -656,7 +656,7 @@ static void __init of_parse_and_init_cpus(void)
 			if (bootcpu_valid) {
 				pr_err("%pOF: duplicate boot cpu reg property in DT\n",
 					dn);
-				goto next;
+				continue;
 			}
 
 			bootcpu_valid = true;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ