| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <60582be6-e4e1-f3c5-63e7-5ff7016c87a9@amd.com>
Date: Wed, 14 Aug 2024 09:22:22 -0500
From: Tom Lendacky <thomas.lendacky@....com>
To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
"Rafael J. Wysocki" <rafael@...nel.org>, Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>, Baoquan He <bhe@...hat.com>
Cc: Ard Biesheuvel <ardb@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
Sean Christopherson <seanjc@...gle.com>, linux-kernel@...r.kernel.org,
linux-acpi@...r.kernel.org, Kai Huang <kai.huang@...el.com>
Subject: Re: [PATCHv2 1/4] x86/mm/ident_map: Fix virtual address wrap to zero
On 8/14/24 07:46, Kirill A. Shutemov wrote:
> Calculation of 'next' virtual address doesn't protect against wrapping
> to zero. It can result in page table corruption and hang. The
> problematic case is possible if user sets high x86_mapping_info::offset.
>
> Replace manual 'next' calculation with p?d_addr_end() which handles
> wrapping correctly.
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> Reviewed-by: Kai Huang <kai.huang@...el.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@....com>
> ---
> arch/x86/mm/ident_map.c | 14 +++-----------
> 1 file changed, 3 insertions(+), 11 deletions(-)
>
> diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c
> index 437e96fb4977..5872f3ee863c 100644
> --- a/arch/x86/mm/ident_map.c
> +++ b/arch/x86/mm/ident_map.c
> @@ -101,9 +101,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page,
> pmd_t *pmd;
> bool use_gbpage;
>
> - next = (addr & PUD_MASK) + PUD_SIZE;
> - if (next > end)
> - next = end;
> + next = pud_addr_end(addr, end);
>
> /* if this is already a gbpage, this portion is already mapped */
> if (pud_leaf(*pud))
> @@ -154,10 +152,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page,
> p4d_t *p4d = p4d_page + p4d_index(addr);
> pud_t *pud;
>
> - next = (addr & P4D_MASK) + P4D_SIZE;
> - if (next > end)
> - next = end;
> -
> + next = p4d_addr_end(addr, end);
> if (p4d_present(*p4d)) {
> pud = pud_offset(p4d, 0);
> result = ident_pud_init(info, pud, addr, next);
> @@ -199,10 +194,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
> pgd_t *pgd = pgd_page + pgd_index(addr);
> p4d_t *p4d;
>
> - next = (addr & PGDIR_MASK) + PGDIR_SIZE;
> - if (next > end)
> - next = end;
> -
> + next = pgd_addr_end(addr, end);
> if (pgd_present(*pgd)) {
> p4d = p4d_offset(pgd, 0);
> result = ident_p4d_init(info, p4d, addr, next);
Powered by blists - more mailing lists