lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAAi7L5dOJR2DK48_gS4_cUKQuVE+MqdFKfXcfmEwFAGPzrZZKg@mail.gmail.com>
Date: Fri, 24 Oct 2025 14:27:42 -0700
From: Michał Cłapiński <mclapinski@...gle.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, Chris Li <chrisl@...nel.org>, x86@...nel.org, 
	"H. Peter Anvin" <hpa@...or.com>, Ard Biesheuvel <ardb@...nel.org>, Dan Williams <dan.j.williams@...el.com>, 
	Pasha Tatashin <pasha.tatashin@...een.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/1] x86/boot/compressed: Fix avoiding memmap in
 physical KASLR

On Fri, Oct 24, 2025 at 11:21 AM Dave Hansen <dave.hansen@...el.com> wrote:
>
> On 10/23/25 16:23, Michał Cłapiński wrote:
> ...
> > If called 5 times, on the 4th time `i` will indeed be also equal to 4
> > but the last `if` never executes since `str` is null. On the 5th time,
> > we exit the function via the first `if` and memmap_too_large never
> > gets set.
>
> Ahh, thanks for the explanation. The implication of the first `if` is
> what I was missing.
>
> How about we just move the `if` you suggested. Let's put it right next
> to the i++ so that they're *obviously* connected and the moment `i` gets
> too big, the very next thing that happens is setting `memmap_too_large`
> and jumping out of the function.

I might be misunderstanding but I don't see how that would work. When
`i` gets to 4, it's perfectly fine. That means we parsed 4 memmap
regions. I can't fail then. But if `i` gets to 5, it's already too
late. It would mean I've committed an out-of-bounds write.

We should fail only if `i` gets to 4 and there is more data. In the
case of calling the function 5 separate times, we don't know whether
there will be more data.

The check would have to be before `i++`. But then we're unnecessarily
parsing the argument. So we should move the check before the parsing.
And then we arrive at the code I proposed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ