| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251008181050.GA3833649@ziepe.ca>
Date: Wed, 8 Oct 2025 15:10:50 -0300
From: Jason Gunthorpe <jgg@...pe.ca>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+093a8a8b859472e6c257@...kaller.appspotmail.com,
iommu@...ts.linux.dev, joro@...tes.org, kevin.tian@...el.com,
linux-kernel@...r.kernel.org, robin.murphy@....com,
syzkaller-bugs@...glegroups.com, will@...nel.org
Subject: Re: [PATCH] iommufd: Prevent the use of nil data
On Wed, Oct 08, 2025 at 03:53:07PM +0800, Edward Adam Davis wrote:
> The division exception occurs because:
> The denominator bitmap->bitmap is 0, which is derived from the nil value
> of bitmap->data passed in by the reproducer.
No, that just causes the reproducer to bail early. The reported
problem is divide by zero. Which is caused by this:
unsigned long pgsize = 1UL << bitmap->mapped.pgshift;
return iova / (BITS_PER_TYPE(*bitmap->bitmap) * pgsize);
// ioctl$IOMMU_HWPT_GET_DIRTY_BITMAP arguments: [
// fd: fd_iommufd (resource)
// cmd: const = 0x3b8c (4 bytes)
// arg: ptr[in, iommu_hwpt_get_dirty_bitmap] {
// iommu_hwpt_get_dirty_bitmap {
// size: len = 0x30 (4 bytes)
// hwpt_id: hwpt_handle (resource)
// flags: iommufd_hwpt_get_dirty_bitmap_flags = 0x0 (4 bytes)
// __reserved: const = 0x0 (4 bytes)
// iova: int64 = 0x0 (8 bytes)
// length: int64 = 0x0 (8 bytes)
// page_size: int64 = 0x8000000000000000 (8 bytes)
^^^^^^^^^^^^^^^^^^^^^^^^^
0x8000000000000000 * BITS_PER_TYPE(*bitmap->bitmap) == 0
It should be fixed by adjusting the logic:
+ return (iova >> bitmap->mapped.pgshift) /
+ BITS_PER_TYPE(*bitmap->bitmap);
I will send a patch.
Jason
Powered by blists - more mailing lists