From: Russell King - ARM Linux <linux@arm.linux.org.uk>
To: Minfei Huang <mhuang@redhat.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>,
Tony Luck <tony.luck@intel.com>,
linux-ia64@vger.kernel.org,
Eric Biederman <ebiederm@xmission.com>,
kexec@lists.infradead.org
Subject: Re: [PATCH 2/3] kexec: ensure user memory sizes do not wrap
Date: Fri, 29 Apr 2016 09:30:46 +0000 [thread overview]
Message-ID: <20160429093046.GR19428@n2100.arm.linux.org.uk> (raw)
In-Reply-To: <20160429093221.GA23421@dhcp-128-25.nay.redhat.com>
On Fri, Apr 29, 2016 at 05:32:21PM +0800, Minfei Huang wrote:
> On 04/28/16 at 01:22pm, Russell King - ARM Linux wrote:
> > On Thu, Apr 28, 2016 at 07:07:22PM +0800, Minfei Huang wrote:
> > > On 04/14/16 at 09:00pm, Russell King wrote:
> > > > Ensure that user memory sizes do not wrap around when validating the
> > > > user input, which can lead to the following input validation working
> > > > incorrectly.
> > > >
> > > > Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> > > > ---
> > > > kernel/kexec_core.c | 2 ++
> > > > 1 file changed, 2 insertions(+)
> > > >
> > > > diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> > > > index 8d34308ea449..d719a4d0ef55 100644
> > > > --- a/kernel/kexec_core.c
> > > > +++ b/kernel/kexec_core.c
> > > > @@ -169,6 +169,8 @@ int sanity_check_segment_list(struct kimage *image)
> > > >
> > > > mstart = image->segment[i].mem;
> > > > mend = mstart + image->segment[i].memsz;
> > > > + if (mstart > mend)
> > > > + return result;
> > >
> > > The type of image->segment[i].memsz is unsigned. So it is no need to
> > > have a test here.
> >
> > Absolutely wrong. Consider the case:
> >
> > segment[i].mem = 0xfff00000;
> > segment[i].size = 0x00200000;
> >
> > Here, mstart will be 0xfff00000, and mend will be 0x00100000. Just
> > because it's some random type does not make things magically work.
>
> Hi, Russell.
>
> Do you mean in PAE mode? If so, we will be in big trouble, because there
> are a lot of functions which use unsigned long to store memory address,
> and this type is 32 bit in PAE mode.
This is basic input validation stuff, it's got nothing to do with whether
we're in PAE mode. If we get passed such a segment as I illustrate above,
we should detect and fail it, just as we detect and fail other similar
errors.
I'm not sure what the big deal here is. This is basic validation checks
for stuff coming from userspace which the kernel should be doing as a
matter of course to protect itself.
--
RMK's Patch system: http://www.arm.linux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
next prev parent reply other threads:[~2016-04-29 9:30 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-14 19:59 [PATCH 0/3] Initial Kexec patches Russell King - ARM Linux
2016-04-14 20:00 ` [PATCH 1/3] kexec: don't invoke OOM-killer for control page allocation Russell King
2016-04-18 5:32 ` Baoquan He
2016-04-18 8:39 ` Russell King - ARM Linux
2016-04-18 10:12 ` Baoquan He
2016-04-28 9:53 ` Baoquan He
2016-04-14 20:00 ` [PATCH 2/3] kexec: ensure user memory sizes do not wrap Russell King
2016-04-18 5:35 ` Baoquan He
2016-04-18 8:37 ` Russell King - ARM Linux
2016-04-18 10:17 ` Baoquan He
2016-04-28 9:56 ` Baoquan He
2016-04-28 11:07 ` Minfei Huang
2016-04-28 12:22 ` Russell King - ARM Linux
2016-04-29 9:32 ` Minfei Huang
2016-04-29 9:30 ` Russell King - ARM Linux [this message]
2016-04-29 10:45 ` Minfei Huang
2016-04-14 20:00 ` [PATCH 3/3] kexec: arrange for paddr_vmcoreinfo_note() to return phys_addr_t Russell King
2016-04-18 5:38 ` Baoquan He
2016-04-18 8:36 ` Russell King - ARM Linux
2016-04-18 10:32 ` Baoquan He
2016-04-18 10:52 ` Russell King - ARM Linux
2016-04-18 11:28 ` Baoquan He
2016-04-28 8:56 ` Russell King - ARM Linux
2016-04-28 9:59 ` Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160429093046.GR19428@n2100.arm.linux.org.uk \
--to=linux@arm.linux.org.uk \
--cc=ebiederm@xmission.com \
--cc=fenghua.yu@intel.com \
--cc=kexec@lists.infradead.org \
--cc=linux-ia64@vger.kernel.org \
--cc=mhuang@redhat.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).