| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <174163625266.14745.15936824915490067574.tip-bot2@tip-bot2>
Date: Mon, 10 Mar 2025 19:50:52 -0000
From: "tip-bot2 for Kirill A. Shutemov" <tip-bot2@...utronix.de>
To: linux-tip-commits@...r.kernel.org
Cc: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Ingo Molnar <mingo@...nel.org>, Kai Huang <kai.huang@...el.com>,
Tom Lendacky <thomas.lendacky@....com>, Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org,
linux-kernel@...r.kernel.org
Subject: [tip: x86/mm] x86/mm/ident_map: Fix theoretical virtual address
overflow to zero
The following commit has been merged into the x86/mm branch of tip:
Commit-ID: 4f10ec03fe1ed12479134be33ddf006382744651
Gitweb: https://git.kernel.org/tip/4f10ec03fe1ed12479134be33ddf006382744651
Author: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
AuthorDate: Wed, 16 Oct 2024 14:14:55 +03:00
Committer: Ingo Molnar <mingo@...nel.org>
CommitterDate: Mon, 10 Mar 2025 20:31:30 +01:00
x86/mm/ident_map: Fix theoretical virtual address overflow to zero
The current calculation of the 'next' virtual address in the
page table initialization functions in arch/x86/mm/ident_map.c
doesn't protect against wrapping to zero.
This is a theoretical issue that cannot happen currently,
the problematic case is possible only if the user sets a
high enough x86_mapping_info::offset value - which no
current code in the upstream kernel does.
( The wrapping to zero only occurs if the top PGD entry is accessed.
There are no such users upstream. Only hibernate_64.c uses
x86_mapping_info::offset, and it operates on the direct mapping
range, which is not the top PGD entry. )
Should such an overflow happen, it can result in page table
corruption and a hang.
To future-proof this code, replace the manual 'next' calculation
with p?d_addr_end() which handles wrapping correctly.
[ Backporter's note: there's no need to backport this patch. ]
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
Signed-off-by: Ingo Molnar <mingo@...nel.org>
Reviewed-by: Kai Huang <kai.huang@...el.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@....com>
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com
---
arch/x86/mm/ident_map.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c
index 5ab7bd2..bd5d101 100644
--- a/arch/x86/mm/ident_map.c
+++ b/arch/x86/mm/ident_map.c
@@ -101,9 +101,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page,
pmd_t *pmd;
bool use_gbpage;
- next = (addr & PUD_MASK) + PUD_SIZE;
- if (next > end)
- next = end;
+ next = pud_addr_end(addr, end);
/* if this is already a gbpage, this portion is already mapped */
if (pud_leaf(*pud))
@@ -154,10 +152,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page,
p4d_t *p4d = p4d_page + p4d_index(addr);
pud_t *pud;
- next = (addr & P4D_MASK) + P4D_SIZE;
- if (next > end)
- next = end;
-
+ next = p4d_addr_end(addr, end);
if (p4d_present(*p4d)) {
pud = pud_offset(p4d, 0);
result = ident_pud_init(info, pud, addr, next);
@@ -199,10 +194,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
pgd_t *pgd = pgd_page + pgd_index(addr);
p4d_t *p4d;
- next = (addr & PGDIR_MASK) + PGDIR_SIZE;
- if (next > end)
- next = end;
-
+ next = pgd_addr_end(addr, end);
if (pgd_present(*pgd)) {
p4d = p4d_offset(pgd, 0);
result = ident_p4d_init(info, p4d, addr, next);
Powered by blists - more mailing lists