| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260116032321.9841-1-mousezhang7@gmail.com>
Date: Fri, 16 Jan 2026 11:23:21 +0800
From: Mouse Zhang <mousezhang7@...il.com>
To: dave.hansen@...ux.intel.com,
luto@...nel.org,
peterz@...radead.org,
tglx@...nel.org,
mingo@...hat.com,
bp@...en8.de,
hpa@...or.com
Cc: x86@...nel.org,
linux-kernel@...r.kernel.org,
Mouse Zhang <mousezhang7@...il.com>
Subject: [PATCH] x86/numa: Initialize __apicid_to_node in dummy_numa_init() to prevent OOB
When NUMA is disabled (numa=off) or the BIOS does not provide an SRAT
table, the kernel falls back to dummy_numa_init(). This function fakes
a single node (Node 0) and maps all memory to it, but it leaves the
__apicid_to_node[] mapping table uninitialized (filled with NUMA_NO_NODE).
This leads to a potential out-of-bounds access in srat_detect_node()
and other topology-related code. Specifically, when numa_cpu_node()
returns NUMA_NO_NODE, some code paths attempt to use cpu_llc_id as a
fallback for the node ID. On modern systems with large APIC IDs, the
cpu_llc_id (derived from APIC ID) can exceed MAX_NUMNODES. Using this
invalid ID in functions like node_online(node) causes memory corruption
or kernel panic.
Fix this by explicitly mapping all unassigned APIC IDs to Node 0 in
dummy_numa_init(). This ensures that numa_cpu_node() consistently
returns Node 0 in non-NUMA environments, avoiding dangerous fallbacks
and keeping the mapping consistent with the fake Node 0.
Signed-off-by: Mouse Zhang <mousezhang7@...il.com>
---
arch/x86/mm/numa.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 7a97327140df..673815d95974 100644
--- a/arch/x86/mm/numa.c
+++ b/arch/x86/mm/numa.c
@@ -212,6 +212,13 @@ static int __init dummy_numa_init(void)
node_set(0, numa_nodes_parsed);
numa_add_memblk(0, 0, PFN_PHYS(max_pfn));
+ /* Map all unassociated APIC IDs to the fake node 0 */
+ unsigned int apicid;
+ for (apicid = 0; apicid < MAX_LOCAL_APIC; apicid++) {
+ if (__apicid_to_node[apicid] == NUMA_NO_NODE)
+ __apicid_to_node[apicid] = 0;
+ }
+
return 0;
}
--
2.51.0
Powered by blists - more mailing lists