lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20250905204848.GA1322742@bhelgaas>
Date: Fri, 5 Sep 2025 15:48:48 -0500
From: Bjorn Helgaas <helgaas@...nel.org>
To: Wang ShaoBo <bobo.shaobowang@...wei.com>
Cc: linux-pci@...r.kernel.org, bhelgaas@...gle.com, leijitang@...wei.com,
	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
	christian.brauner@...ntu.com, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] PCI: Fix the int overflow in proc_bus_pci_write()

[+cc linux-hardening]

On Fri, Sep 05, 2025 at 06:47:30PM +0800, Wang ShaoBo wrote:
> Following testcase can trigger a softlockup BUG.
> syscall(__NR_pwritev, /*fd=*/..., /*vec=*/..., /*vlen=*/...,
>         /*pos_l=*/0x80010000, /*pos_h=*/0x100);
> 
> watchdog: BUG: soft lockup - CPU#11 stuck for 22s! [test:537]
> Modules linked in:
> CPU: 11 PID: 537 Comm: test Not tainted 5.10.0+ #67
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:pci_user_write_config_dword+0x67/0xc0
> Code: 00 00 44 89 e2 48 8b 87 e0 00 00 00 48 8b 40 20 e8 9e 54 7e 00 48 c7 c7 20 48 a2 83 41 89 c0 c6 07 00 0f 1f 40 00 fb 45 85 c0 <7e> 12 41 8d 80 7f ff ff ff 41 b8 de ff ff ff 83 f8 08 76 0c 5b 44
> RSP: 0018:ffffc900016c3d30 EFLAGS: 00000246
> RAX: 0000000000000000 RBX: ffff888042058000 RCX: 0000000000000005
> RDX: ffff888004058a00 RSI: 0000000000000046 RDI: ffffffff83a24820
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> R10: ffff888005c25900 R11: 0000000000000000 R12: 0000000080c48680
> R13: 0000000020c38684 R14: 0000000080010000 R15: ffff888004702408
> FS:  000000003ae91880(0000) GS:ffff88801f380000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020c00000 CR3: 0000000006f2c000 CR4: 00000000000006e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  proc_bus_pci_write+0x22c/0x260
>  proc_reg_write+0x40/0x90
>  do_loop_readv_writev.part.0+0x97/0xc0
>  do_iter_write+0xf6/0x150
>  vfs_writev+0x97/0x130
>  ? files_cgroup_alloc_fd+0x5c/0x70
>  ? do_sys_openat2+0x1c9/0x320
>  __x64_sys_pwritev+0xb1/0x100
>  do_syscall_64+0x2b/0x40
>  entry_SYSCALL_64_after_hwframe+0x6c/0xd6
> 
> The pos_l parameter for pwritev syscall may be an integer negative value,
> which will make the variable pos in proc_bus_pci_write() negative and
> variable cnt a very large number.

Sounds like a problem; have you looked for similar problems in other
.proc_write() and .proc_read() functions?  validate_flash_write() is
one that also looks suspicious to me.

I think you're describing this code:

  static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
				    size_t nbytes, loff_t *ppos)
  {
        int pos = *ppos;
        int size = dev->cfg_size;
        int cnt, ret;

        if (pos + nbytes > size)
                nbytes = size - pos;
        cnt = nbytes;
	...
	while (cnt >= 4) {
		...
                pos += 4;
                cnt -= 4;
	}

proc_bus_pci_read() is quite similar but "pos", "cnt", and "size" are
unsigned:

  static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
				   size_t nbytes, loff_t *ppos)
  {
        unsigned int pos = *ppos;
        unsigned int cnt, size;

It seems like they should use the same strategy to avoid this problem.

> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Hulk Robot <hulkci@...wei.com>
> Signed-off-by: Wang ShaoBo <bobo.shaobowang@...wei.com>
> ---
>  drivers/pci/proc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
> index 9348a0fb8084..ef7a33affb3b 100644
> --- a/drivers/pci/proc.c
> +++ b/drivers/pci/proc.c
> @@ -121,7 +121,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
>  	if (ret)
>  		return ret;
>  
> -	if (pos >= size)
> +	if (pos < 0 || pos >= size)
>  		return 0;
>  	if (nbytes >= size)
>  		nbytes = size;
> -- 
> 2.25.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ