| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251124233931.GA2725583@bhelgaas>
Date: Mon, 24 Nov 2025 17:39:31 -0600
From: Bjorn Helgaas <helgaas@...nel.org>
To: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
Cc: Bjorn Helgaas <bhelgaas@...gle.com>,
Christian König <christian.koenig@....com>,
linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
Dan Carpenter <dan.carpenter@...aro.org>
Subject: Re: [PATCH 1/1] PCI: Check pci_rebar_size_supported() input
On Mon, Nov 24, 2025 at 05:37:40PM +0200, Ilpo Järvinen wrote:
> According to Dan Carpenter, smatch detects issue with size parameter
> given to pci_rebar_size_supported():
>
> drivers/pci/rebar.c:142 pci_rebar_size_supported()
> error: undefined (user controlled) shift '(((1))) << size'
>
> The problem is this call tree:
> __resource_resize_store() <- takes an unsigned long from the user
> -> pci_resize_resource() <- truncates it to int
> -> pci_rebar_size_supported()
>
> The string input to __resource_resize_store() is to unsigned long and
> then passed to pci_resize_resource(). There could be similar problems
> also with the values coming from GPU drivers.
>
> Add 'size' validation to pci_rebar_size_supported().
>
> There seems to be no SZ_128T prior to this so add one to be able to
> specify the largest size supported by the kernel (PCIe r7.0 spec
> already defines sizes even beyond 128TB but kernel does not yet support
> them).
>
> The issue looks older than the introduction of
> pci_rebar_size_supported() in the commit bb1fabd0d94e ("PCI: Add
> pci_rebar_size_supported() helper").
>
> It would be also nice to convert 'size' unsigned too everywhere, maybe
> even u8 but that is left as further work.
>
> Fixes: 8bb705e3e79d ("PCI: Add pci_resize_resource() for resizing BARs")
> Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
Applied to pci/resource for v6.19, thanks!
> ---
>
> As this is so close to the merge window, I assume this will be routed
> through next but I suggest not folding it to the commit bb1fabd0d94e
> ("PCI: Add pci_rebar_size_supported() helper") as this should be
> backported. It will fail backport immediately as pci_rebar_size_supported()
> is only in pci/resource but I'll deal with it when the time comes and
> create a backport for it to the older codebase.
>
> ---
> drivers/pci/rebar.c | 3 +++
> include/linux/sizes.h | 1 +
> 2 files changed, 4 insertions(+)
>
> diff --git a/drivers/pci/rebar.c b/drivers/pci/rebar.c
> index 8f7af3053cd8..a84165a196fa 100644
> --- a/drivers/pci/rebar.c
> +++ b/drivers/pci/rebar.c
> @@ -139,6 +139,9 @@ bool pci_rebar_size_supported(struct pci_dev *pdev, int bar, int size)
> {
> u64 sizes = pci_rebar_get_possible_sizes(pdev, bar);
>
> + if (size < 0 || size > ilog2(SZ_128T) - ilog2(PCI_REBAR_MIN_SIZE))
> + return false;
> +
> return BIT(size) & sizes;
> }
> EXPORT_SYMBOL_GPL(pci_rebar_size_supported);
> diff --git a/include/linux/sizes.h b/include/linux/sizes.h
> index 49039494076f..f1f1a055b047 100644
> --- a/include/linux/sizes.h
> +++ b/include/linux/sizes.h
> @@ -67,5 +67,6 @@
> #define SZ_16T _AC(0x100000000000, ULL)
> #define SZ_32T _AC(0x200000000000, ULL)
> #define SZ_64T _AC(0x400000000000, ULL)
> +#define SZ_128T _AC(0x800000000000, ULL)
>
> #endif /* __LINUX_SIZES_H__ */
>
> base-commit: bf0a90fc907e47344f88e5b9b241082184dbac27
> --
> 2.39.5
>
Powered by blists - more mailing lists