From: "Erhard F." <erhard_f@mailbox.org>
To: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: linuxppc-dev@lists.ozlabs.org, Paul Mackerras <paulus@samba.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] powerpc/32s: Fix shift-out-of-bounds in KASAN init
Date: Tue, 30 Nov 2021 14:45:41 +0100 [thread overview]
Message-ID: <20211130144541.2597f936@yea> (raw)
In-Reply-To: <15cbc3439d4ad988b225e2119ec99502a5cc6ad3.1638261744.git.christophe.leroy@csgroup.eu>
On Tue, 30 Nov 2021 09:42:37 +0100
Christophe Leroy <christophe.leroy@csgroup.eu> wrote:
> ================================================================================
> UBSAN: shift-out-of-bounds in arch/powerpc/mm/kasan/book3s_32.c:22:23
> shift exponent -1 is negative
> CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.5-gentoo-PowerMacG4 #9
> Call Trace:
> [c214be60] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable)
> [c214be80] [c0b99288] ubsan_epilogue+0x10/0x5c
> [c214be90] [c0b98fe0] __ubsan_handle_shift_out_of_bounds+0x94/0x138
> [c214bf00] [c1c0f010] kasan_init_region+0xd8/0x26c
> [c214bf30] [c1c0ed84] kasan_init+0xc0/0x198
> [c214bf70] [c1c08024] setup_arch+0x18/0x54c
> [c214bfc0] [c1c037f0] start_kernel+0x90/0x33c
> [c214bff0] [00003610] 0x3610
> ================================================================================
>
> This happens when the directly mapped memory is a power of 2.
>
> Fix it by checking the shift and set the result to 0 when shift is -1
>
> Reported-by: Erhard Furtner <erhard_f@mailbox.org>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=215169
> Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()")
> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> ---
> arch/powerpc/mm/kasan/book3s_32.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/mm/kasan/book3s_32.c b/arch/powerpc/mm/kasan/book3s_32.c
> index 202bd260a009..35b287b0a8da 100644
> --- a/arch/powerpc/mm/kasan/book3s_32.c
> +++ b/arch/powerpc/mm/kasan/book3s_32.c
> @@ -19,7 +19,8 @@ int __init kasan_init_region(void *start, size_t size)
> block = memblock_alloc(k_size, k_size_base);
>
> if (block && k_size_base >= SZ_128K && k_start == ALIGN(k_start, k_size_base)) {
> - int k_size_more = 1 << (ffs(k_size - k_size_base) - 1);
> + int shift = ffs(k_size - k_size_base);
> + int k_size_more = shift ? 1 << (shift - 1) : 0;
>
> setbat(-1, k_start, __pa(block), k_size_base, PAGE_KERNEL);
> if (k_size_more >= SZ_128K)
> --
> 2.33.1
>
Tested Christophes patch applied on 5.15.5 which works fine. Thanks!
I'll close the bugzilla report once it gets into stable.
Regards
Erhard
WARNING: multiple messages have this Message-ID (diff)
From: "Erhard F." <erhard_f@mailbox.org>
To: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH] powerpc/32s: Fix shift-out-of-bounds in KASAN init
Date: Tue, 30 Nov 2021 14:45:41 +0100 [thread overview]
Message-ID: <20211130144541.2597f936@yea> (raw)
In-Reply-To: <15cbc3439d4ad988b225e2119ec99502a5cc6ad3.1638261744.git.christophe.leroy@csgroup.eu>
On Tue, 30 Nov 2021 09:42:37 +0100
Christophe Leroy <christophe.leroy@csgroup.eu> wrote:
> ================================================================================
> UBSAN: shift-out-of-bounds in arch/powerpc/mm/kasan/book3s_32.c:22:23
> shift exponent -1 is negative
> CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.5-gentoo-PowerMacG4 #9
> Call Trace:
> [c214be60] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable)
> [c214be80] [c0b99288] ubsan_epilogue+0x10/0x5c
> [c214be90] [c0b98fe0] __ubsan_handle_shift_out_of_bounds+0x94/0x138
> [c214bf00] [c1c0f010] kasan_init_region+0xd8/0x26c
> [c214bf30] [c1c0ed84] kasan_init+0xc0/0x198
> [c214bf70] [c1c08024] setup_arch+0x18/0x54c
> [c214bfc0] [c1c037f0] start_kernel+0x90/0x33c
> [c214bff0] [00003610] 0x3610
> ================================================================================
>
> This happens when the directly mapped memory is a power of 2.
>
> Fix it by checking the shift and set the result to 0 when shift is -1
>
> Reported-by: Erhard Furtner <erhard_f@mailbox.org>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=215169
> Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()")
> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> ---
> arch/powerpc/mm/kasan/book3s_32.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/mm/kasan/book3s_32.c b/arch/powerpc/mm/kasan/book3s_32.c
> index 202bd260a009..35b287b0a8da 100644
> --- a/arch/powerpc/mm/kasan/book3s_32.c
> +++ b/arch/powerpc/mm/kasan/book3s_32.c
> @@ -19,7 +19,8 @@ int __init kasan_init_region(void *start, size_t size)
> block = memblock_alloc(k_size, k_size_base);
>
> if (block && k_size_base >= SZ_128K && k_start == ALIGN(k_start, k_size_base)) {
> - int k_size_more = 1 << (ffs(k_size - k_size_base) - 1);
> + int shift = ffs(k_size - k_size_base);
> + int k_size_more = shift ? 1 << (shift - 1) : 0;
>
> setbat(-1, k_start, __pa(block), k_size_base, PAGE_KERNEL);
> if (k_size_more >= SZ_128K)
> --
> 2.33.1
>
Tested Christophes patch applied on 5.15.5 which works fine. Thanks!
I'll close the bugzilla report once it gets into stable.
Regards
Erhard
next prev parent reply other threads:[~2021-11-30 13:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 8:42 [PATCH] powerpc/32s: Fix shift-out-of-bounds in KASAN init Christophe Leroy
2021-11-30 8:42 ` Christophe Leroy
2021-11-30 13:45 ` Erhard F. [this message]
2021-11-30 13:45 ` Erhard F.
2021-12-07 13:27 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211130144541.2597f936@yea \
--to=erhard_f@mailbox.org \
--cc=christophe.leroy@csgroup.eu \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.