From: Tony Lindgren <tony@atomide.com>
To: linux-arm-kernel@lists.infradead.org
Cc: linux-omap@vger.kernel.org
Subject: [PATCH 4/5] arm: Fix init_atags_procfs() to check tag->hdr.size
Date: Fri, 18 Dec 2009 19:46:30 -0800 [thread overview]
Message-ID: <20091219034630.26198.35713.stgit@localhost> (raw)
In-Reply-To: <20091219034151.26198.26570.stgit@localhost>
The tag->hdr.size cannot be larger than XXX.
Otherwise we can getsomething similar during boot:
Unable to handle kernel paging request at virtual address 61a05020
...
Signed-off-by: Tony Lindgren <tony@atomide.com>
---
arch/arm/include/asm/setup.h | 12 +++++++++---
arch/arm/kernel/atags.c | 2 +-
arch/arm/kernel/compat.c | 2 +-
arch/arm/kernel/setup.c | 4 ++--
arch/arm/mach-orion5x/common.c | 2 +-
5 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/arch/arm/include/asm/setup.h b/arch/arm/include/asm/setup.h
index 5ccce0a..3ca36bb 100644
--- a/arch/arm/include/asm/setup.h
+++ b/arch/arm/include/asm/setup.h
@@ -21,6 +21,11 @@
/* The list ends with an ATAG_NONE node. */
#define ATAG_NONE 0x00000000
+/* Some sanity checks are needed */
+#define ATAG_MAX_SZ PAGE_SIZE
+#define atag_valid(tag) \
+ ((tag)->hdr.size && ((tag)->hdr.size <= ATAG_MAX_SZ))
+
struct tag_header {
__u32 size;
__u32 tag;
@@ -173,9 +178,10 @@ struct tagtable {
int (*parse)(const struct tag *);
};
-#define tag_member_present(tag,member) \
- ((unsigned long)(&((struct tag *)0L)->member + 1) \
- <= (tag)->hdr.size * 4)
+#define tag_member_present(tag,member) \
+ (atag_valid(tag) && \
+ (((unsigned long)(&((struct tag *)0L)->member + 1) \
+ <= (tag)->hdr.size * 4))
#define tag_next(t) ((struct tag *)((__u32 *)(t) + (t)->hdr.size))
#define tag_size(type) ((sizeof(struct tag_header) + sizeof(struct type)) >> 2)
diff --git a/arch/arm/kernel/atags.c b/arch/arm/kernel/atags.c
index 42a1a14..14d0993 100644
--- a/arch/arm/kernel/atags.c
+++ b/arch/arm/kernel/atags.c
@@ -51,7 +51,7 @@ static int __init init_atags_procfs(void)
return -EINVAL;
}
- for (; tag->hdr.size; tag = tag_next(tag))
+ for (; atag_valid(tag); tag = tag_next(tag))
;
/* include the terminating ATAG_NONE */
diff --git a/arch/arm/kernel/compat.c b/arch/arm/kernel/compat.c
index 0a13854..3e63ee1 100644
--- a/arch/arm/kernel/compat.c
+++ b/arch/arm/kernel/compat.c
@@ -220,7 +220,7 @@ void __init convert_to_tag_list(struct tag *tags)
void __init squash_mem_tags(struct tag *tag)
{
- for (; tag->hdr.size; tag = tag_next(tag))
+ for (; atag_valid(tag); tag = tag_next(tag))
if (tag->hdr.tag == ATAG_MEM)
tag->hdr.tag = ATAG_NONE;
}
diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
index c6c57b6..53d7181 100644
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -556,7 +556,7 @@ request_standard_resources(struct meminfo *mi, struct machine_desc *mdesc)
*/
static int __init parse_tag_core(const struct tag *tag)
{
- if (tag->hdr.size > 2) {
+ if ((atag_valid(tag) && (tag->hdr.size > 2))) {
if ((tag->u.core.flags & 1) == 0)
root_mountflags &= ~MS_RDONLY;
ROOT_DEV = old_decode_dev(tag->u.core.rootdev);
@@ -660,7 +660,7 @@ static int __init parse_tag(const struct tag *tag)
*/
static void __init parse_tags(const struct tag *t)
{
- for (; t->hdr.size; t = tag_next(t))
+ for (; atag_valid(t); t = tag_next(t))
if (!parse_tag(t))
printk(KERN_WARNING
"Ignoring unrecognised tag 0x%08x\n",
diff --git a/arch/arm/mach-orion5x/common.c b/arch/arm/mach-orion5x/common.c
index f87fa12..8afee34 100644
--- a/arch/arm/mach-orion5x/common.c
+++ b/arch/arm/mach-orion5x/common.c
@@ -717,7 +717,7 @@ void __init orion5x_init(void)
void __init tag_fixup_mem32(struct machine_desc *mdesc, struct tag *t,
char **from, struct meminfo *meminfo)
{
- for (; t->hdr.size; t = tag_next(t))
+ for (; atag_valid(t); t = tag_next(t))
if (t->hdr.tag == ATAG_MEM &&
(!t->u.mem.size || t->u.mem.size & ~PAGE_MASK ||
t->u.mem.start & ~PAGE_MASK)) {
WARNING: multiple messages have this Message-ID (diff)
From: tony@atomide.com (Tony Lindgren)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 4/5] arm: Fix init_atags_procfs() to check tag->hdr.size
Date: Fri, 18 Dec 2009 19:46:30 -0800 [thread overview]
Message-ID: <20091219034630.26198.35713.stgit@localhost> (raw)
In-Reply-To: <20091219034151.26198.26570.stgit@localhost>
The tag->hdr.size cannot be larger than XXX.
Otherwise we can getsomething similar during boot:
Unable to handle kernel paging request at virtual address 61a05020
...
Signed-off-by: Tony Lindgren <tony@atomide.com>
---
arch/arm/include/asm/setup.h | 12 +++++++++---
arch/arm/kernel/atags.c | 2 +-
arch/arm/kernel/compat.c | 2 +-
arch/arm/kernel/setup.c | 4 ++--
arch/arm/mach-orion5x/common.c | 2 +-
5 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/arch/arm/include/asm/setup.h b/arch/arm/include/asm/setup.h
index 5ccce0a..3ca36bb 100644
--- a/arch/arm/include/asm/setup.h
+++ b/arch/arm/include/asm/setup.h
@@ -21,6 +21,11 @@
/* The list ends with an ATAG_NONE node. */
#define ATAG_NONE 0x00000000
+/* Some sanity checks are needed */
+#define ATAG_MAX_SZ PAGE_SIZE
+#define atag_valid(tag) \
+ ((tag)->hdr.size && ((tag)->hdr.size <= ATAG_MAX_SZ))
+
struct tag_header {
__u32 size;
__u32 tag;
@@ -173,9 +178,10 @@ struct tagtable {
int (*parse)(const struct tag *);
};
-#define tag_member_present(tag,member) \
- ((unsigned long)(&((struct tag *)0L)->member + 1) \
- <= (tag)->hdr.size * 4)
+#define tag_member_present(tag,member) \
+ (atag_valid(tag) && \
+ (((unsigned long)(&((struct tag *)0L)->member + 1) \
+ <= (tag)->hdr.size * 4))
#define tag_next(t) ((struct tag *)((__u32 *)(t) + (t)->hdr.size))
#define tag_size(type) ((sizeof(struct tag_header) + sizeof(struct type)) >> 2)
diff --git a/arch/arm/kernel/atags.c b/arch/arm/kernel/atags.c
index 42a1a14..14d0993 100644
--- a/arch/arm/kernel/atags.c
+++ b/arch/arm/kernel/atags.c
@@ -51,7 +51,7 @@ static int __init init_atags_procfs(void)
return -EINVAL;
}
- for (; tag->hdr.size; tag = tag_next(tag))
+ for (; atag_valid(tag); tag = tag_next(tag))
;
/* include the terminating ATAG_NONE */
diff --git a/arch/arm/kernel/compat.c b/arch/arm/kernel/compat.c
index 0a13854..3e63ee1 100644
--- a/arch/arm/kernel/compat.c
+++ b/arch/arm/kernel/compat.c
@@ -220,7 +220,7 @@ void __init convert_to_tag_list(struct tag *tags)
void __init squash_mem_tags(struct tag *tag)
{
- for (; tag->hdr.size; tag = tag_next(tag))
+ for (; atag_valid(tag); tag = tag_next(tag))
if (tag->hdr.tag == ATAG_MEM)
tag->hdr.tag = ATAG_NONE;
}
diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
index c6c57b6..53d7181 100644
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -556,7 +556,7 @@ request_standard_resources(struct meminfo *mi, struct machine_desc *mdesc)
*/
static int __init parse_tag_core(const struct tag *tag)
{
- if (tag->hdr.size > 2) {
+ if ((atag_valid(tag) && (tag->hdr.size > 2))) {
if ((tag->u.core.flags & 1) == 0)
root_mountflags &= ~MS_RDONLY;
ROOT_DEV = old_decode_dev(tag->u.core.rootdev);
@@ -660,7 +660,7 @@ static int __init parse_tag(const struct tag *tag)
*/
static void __init parse_tags(const struct tag *t)
{
- for (; t->hdr.size; t = tag_next(t))
+ for (; atag_valid(t); t = tag_next(t))
if (!parse_tag(t))
printk(KERN_WARNING
"Ignoring unrecognised tag 0x%08x\n",
diff --git a/arch/arm/mach-orion5x/common.c b/arch/arm/mach-orion5x/common.c
index f87fa12..8afee34 100644
--- a/arch/arm/mach-orion5x/common.c
+++ b/arch/arm/mach-orion5x/common.c
@@ -717,7 +717,7 @@ void __init orion5x_init(void)
void __init tag_fixup_mem32(struct machine_desc *mdesc, struct tag *t,
char **from, struct meminfo *meminfo)
{
- for (; t->hdr.size; t = tag_next(t))
+ for (; atag_valid(t); t = tag_next(t))
if (t->hdr.tag == ATAG_MEM &&
(!t->u.mem.size || t->u.mem.size & ~PAGE_MASK ||
t->u.mem.start & ~PAGE_MASK)) {
next prev parent reply other threads:[~2009-12-19 3:46 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-19 3:45 [PATCH 0/5] V7/Cortex/omap34xx fixes for 2.6.33-rc1: DCC, kexec, atags Tony Lindgren
2009-12-19 3:45 ` Tony Lindgren
2009-12-19 3:45 ` [PATCH 1/5] arm: Fix DCC console for v7 Tony Lindgren
2009-12-19 3:45 ` Tony Lindgren
2009-12-19 3:46 ` [PATCH 2/5] arm: Fix cpu_proc_fin() for proc-v7.S and make kexec work Tony Lindgren
2009-12-19 3:46 ` Tony Lindgren
2009-12-19 3:46 ` [PATCH 3/5] arm: Flush TLB entries in setup_mm_for_reboot() Tony Lindgren
2009-12-19 3:46 ` Tony Lindgren
2009-12-19 9:06 ` Russell King - ARM Linux
2009-12-19 9:06 ` Russell King - ARM Linux
2009-12-19 17:54 ` Tony Lindgren
2009-12-19 17:54 ` Tony Lindgren
2009-12-19 18:10 ` Tony Lindgren
2009-12-19 18:10 ` Tony Lindgren
2009-12-19 3:46 ` Tony Lindgren [this message]
2009-12-19 3:46 ` [PATCH 4/5] arm: Fix init_atags_procfs() to check tag->hdr.size Tony Lindgren
2009-12-19 9:03 ` Russell King - ARM Linux
2009-12-19 9:03 ` Russell King - ARM Linux
2009-12-19 17:44 ` Tony Lindgren
2009-12-19 17:44 ` Tony Lindgren
2009-12-19 18:44 ` Tony Lindgren
2009-12-19 18:44 ` Tony Lindgren
2009-12-19 3:46 ` [PATCH 5/5] arm: Fix typo in cacheflush.h and remove unnecessary comments Tony Lindgren
2009-12-19 3:46 ` Tony Lindgren
2009-12-19 5:07 ` [PATCH 0/5] V7/Cortex/omap34xx fixes for 2.6.33-rc1: DCC, kexec, atags Tony Lindgren
2009-12-19 5:07 ` Tony Lindgren
2009-12-28 5:55 ` Magnus Damm
2009-12-28 5:55 ` Magnus Damm
2009-12-29 22:07 ` Tony Lindgren
2009-12-29 22:07 ` Tony Lindgren
2010-01-05 9:24 ` Magnus Damm
2010-01-05 9:24 ` Magnus Damm
2010-01-05 11:36 ` Mika Westerberg
2010-01-05 11:36 ` Mika Westerberg
2010-01-05 17:14 ` Tony Lindgren
2010-01-05 17:14 ` Tony Lindgren
2010-01-05 17:54 ` Paul Walmsley
2010-01-05 17:54 ` Paul Walmsley
2010-01-05 20:43 ` Tony Lindgren
2010-01-05 20:43 ` Tony Lindgren
2010-01-08 22:32 ` Woodruff, Richard
2010-01-08 22:32 ` Woodruff, Richard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091219034630.26198.35713.stgit@localhost \
--to=tony@atomide.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-omap@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.