[PATCH] powerpc: Add out of bounds check to crash_shutdown

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister()
@ 2016-04-28  6:17 Suraj Jitindar Singh
  2016-04-28  6:55 ` Balbir Singh
  2016-05-03  5:00 ` Michael Ellerman
  0 siblings, 2 replies; 6+ messages in thread
From: Suraj Jitindar Singh @ 2016-04-28  6:17 UTC (permalink / raw)
  To: linuxppc-dev; +Cc: benh, paulus, mpe, Suraj Jitindar Singh

When unregistering a crash_shutdown_handle in the function
crash_shutdown_unregister() the other handles are shifted down in the
array to replace the unregistered handle. The for loop assumes that the
last element in the array is null and uses this as the stop condition,
however in the case that the last element is not null there is no check
to ensure that an out of bounds access is not performed.

Add a check to terminate the shift operation when CRASH_HANDLER_MAX is
reached in order to protect against out of bounds accesses.

Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
---
 arch/powerpc/kernel/crash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
index 2bb252c..6b267af 100644
--- a/arch/powerpc/kernel/crash.c
+++ b/arch/powerpc/kernel/crash.c
@@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t handler)
 		rc = 1;
 	} else {
 		/* Shift handles down */
-		for (; crash_shutdown_handles[i]; i++)
+		for (; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++)
 			crash_shutdown_handles[i] =
 				crash_shutdown_handles[i+1];
 		rc = 0;
-- 
2.5.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister()
  2016-04-28  6:17 [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister() Suraj Jitindar Singh
@ 2016-04-28  6:55 ` Balbir Singh
  2016-04-28  7:18   ` Suraj Jitindar Singh
  2016-05-03  5:00 ` Michael Ellerman
  1 sibling, 1 reply; 6+ messages in thread
From: Balbir Singh @ 2016-04-28  6:55 UTC (permalink / raw)
  To: Suraj Jitindar Singh, linuxppc-dev; +Cc: paulus



On 28/04/16 16:17, Suraj Jitindar Singh wrote:
> When unregistering a crash_shutdown_handle in the function
> crash_shutdown_unregister() the other handles are shifted down in the
> array to replace the unregistered handle. The for loop assumes that the
> last element in the array is null and uses this as the stop condition,
> however in the case that the last element is not null there is no check
> to ensure that an out of bounds access is not performed.
> 
> Add a check to terminate the shift operation when CRASH_HANDLER_MAX is
> reached in order to protect against out of bounds accesses.
> 
> Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
> ---
>  arch/powerpc/kernel/crash.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
> index 2bb252c..6b267af 100644
> --- a/arch/powerpc/kernel/crash.c
> +++ b/arch/powerpc/kernel/crash.c
> @@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t handler)
>  		rc = 1;
>  	} else {
>  		/* Shift handles down */
> -		for (; crash_shutdown_handles[i]; i++)
> +		for (; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++)
>  			crash_shutdown_handles[i] =
>  				crash_shutdown_handles[i+1];
>  		rc = 0;
> 

with i = CRASH_HANDLER_MAX-1 we could end up with crash_shutdown_handles[i+1] already out of bounds
I think you need to check that i+1 does not overflow

Balbir

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister()
  2016-04-28  6:55 ` Balbir Singh
@ 2016-04-28  7:18   ` Suraj Jitindar Singh
  2016-04-28  7:52     ` Balbir Singh
  0 siblings, 1 reply; 6+ messages in thread
From: Suraj Jitindar Singh @ 2016-04-28  7:18 UTC (permalink / raw)
  To: Balbir Singh; +Cc: linuxppc-dev, paulus

On Thu, 28 Apr 2016 16:55:13 +1000
Balbir Singh <bsingharora@gmail.com> wrote:

> On 28/04/16 16:17, Suraj Jitindar Singh wrote:
> > When unregistering a crash_shutdown_handle in the function
> > crash_shutdown_unregister() the other handles are shifted down in
> > the array to replace the unregistered handle. The for loop assumes
> > that the last element in the array is null and uses this as the
> > stop condition, however in the case that the last element is not
> > null there is no check to ensure that an out of bounds access is
> > not performed.
> > 
> > Add a check to terminate the shift operation when CRASH_HANDLER_MAX
> > is reached in order to protect against out of bounds accesses.
> > 
> > Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
> > ---
> >  arch/powerpc/kernel/crash.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/arch/powerpc/kernel/crash.c
> > b/arch/powerpc/kernel/crash.c index 2bb252c..6b267af 100644
> > --- a/arch/powerpc/kernel/crash.c
> > +++ b/arch/powerpc/kernel/crash.c
> > @@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t
> > handler) rc = 1;
> >  	} else {
> >  		/* Shift handles down */
> > -		for (; crash_shutdown_handles[i]; i++)
> > +		for (; crash_shutdown_handles[i] && i <
> > CRASH_HANDLER_MAX; i++) crash_shutdown_handles[i] =
> >  				crash_shutdown_handles[i+1];
> >  		rc = 0;
> >   
> 
> with i = CRASH_HANDLER_MAX-1 we could end up with
> crash_shutdown_handles[i+1] already out of bounds I think you need to
> check that i+1 does not overflow
> 
> Balbir

Thanks for taking a look Balbir, the size of crash_shutdown_handles is
actually CRASH_HANDLER_MAX+1.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister()
  2016-04-28  7:18   ` Suraj Jitindar Singh
@ 2016-04-28  7:52     ` Balbir Singh
  0 siblings, 0 replies; 6+ messages in thread
From: Balbir Singh @ 2016-04-28  7:52 UTC (permalink / raw)
  To: Suraj Jitindar Singh; +Cc: linuxppc-dev, paulus

> 
> Thanks for taking a look Balbir, the size of crash_shutdown_handles is
> actually CRASH_HANDLER_MAX+1.
> 

Acked-by: Balbir Singh <bsingharora@gmail.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: powerpc: Add out of bounds check to crash_shutdown_unregister()
  2016-04-28  6:17 [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister() Suraj Jitindar Singh
  2016-04-28  6:55 ` Balbir Singh
@ 2016-05-03  5:00 ` Michael Ellerman
  2016-05-09  0:33   ` Suraj Jitindar Singh
  1 sibling, 1 reply; 6+ messages in thread
From: Michael Ellerman @ 2016-05-03  5:00 UTC (permalink / raw)
  To: Suraj Jitindar Singh, linuxppc-dev; +Cc: paulus, Suraj Jitindar Singh

On Thu, 2016-28-04 at 06:17:45 UTC, Suraj Jitindar Singh wrote:
> When unregistering a crash_shutdown_handle in the function
> crash_shutdown_unregister() the other handles are shifted down in the
> array to replace the unregistered handle. The for loop assumes that the
> last element in the array is null and uses this as the stop condition,
> however in the case that the last element is not null there is no check
> to ensure that an out of bounds access is not performed.

But AFAICS the code ensures that entry will always be NULL. So there's no bug at
the moment.

> Add a check to terminate the shift operation when CRASH_HANDLER_MAX is
> reached in order to protect against out of bounds accesses.

Doing it this way is more robust though. The chance of the NULL terminator being
corrupted is definitely higher than the code being corrupted, and if the latter
happens we're probably toast anyway.

> diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
> index 2bb252c..6b267af 100644
> --- a/arch/powerpc/kernel/crash.c
> +++ b/arch/powerpc/kernel/crash.c
> @@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t handler)
>  		rc = 1;
>  	} else {
>  		/* Shift handles down */
> -		for (; crash_shutdown_handles[i]; i++)
> +		for (; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++)
>  			crash_shutdown_handles[i] =
>  				crash_shutdown_handles[i+1];
>  		rc = 0;

So if I'm reading it right, with this change we have removed all the code that
uses the NULL-terminated property of the list.

If so we should also shrink the array to be only CRASH_HANDLER_MAX in size, and
remove any references to it being NULL terminated.

cheers

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: powerpc: Add out of bounds check to crash_shutdown_unregister()
  2016-05-03  5:00 ` Michael Ellerman
@ 2016-05-09  0:33   ` Suraj Jitindar Singh
  0 siblings, 0 replies; 6+ messages in thread
From: Suraj Jitindar Singh @ 2016-05-09  0:33 UTC (permalink / raw)
  To: Michael Ellerman, linuxppc-dev; +Cc: paulus



On 03/05/16 15:00, Michael Ellerman wrote:
> On Thu, 2016-28-04 at 06:17:45 UTC, Suraj Jitindar Singh wrote:
>> When unregistering a crash_shutdown_handle in the function
>> crash_shutdown_unregister() the other handles are shifted down in the
>> array to replace the unregistered handle. The for loop assumes that the
>> last element in the array is null and uses this as the stop condition,
>> however in the case that the last element is not null there is no check
>> to ensure that an out of bounds access is not performed.
> But AFAICS the code ensures that entry will always be NULL. So there's no bug at
> the moment.
>
>> Add a check to terminate the shift operation when CRASH_HANDLER_MAX is
>> reached in order to protect against out of bounds accesses.
> Doing it this way is more robust though. The chance of the NULL terminator being
> corrupted is definitely higher than the code being corrupted, and if the latter
> happens we're probably toast anyway.
>
>> diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
>> index 2bb252c..6b267af 100644
>> --- a/arch/powerpc/kernel/crash.c
>> +++ b/arch/powerpc/kernel/crash.c
>> @@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t handler)
>>  		rc = 1;
>>  	} else {
>>  		/* Shift handles down */
>> -		for (; crash_shutdown_handles[i]; i++)
>> +		for (; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++)
>>  			crash_shutdown_handles[i] =
>>  				crash_shutdown_handles[i+1];
>>  		rc = 0;
> So if I'm reading it right, with this change we have removed all the code that
> uses the NULL-terminated property of the list.
>
> If so we should also shrink the array to be only CRASH_HANDLER_MAX in size, and
> remove any references to it being NULL terminated.
>
> cheers

Thanks Michael, will change this to reflect that the list is no longer assumed to be null terminated.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-05-09  0:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-28  6:17 [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister() Suraj Jitindar Singh
2016-04-28  6:55 ` Balbir Singh
2016-04-28  7:18   ` Suraj Jitindar Singh
2016-04-28  7:52     ` Balbir Singh
2016-05-03  5:00 ` Michael Ellerman
2016-05-09  0:33   ` Suraj Jitindar Singh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).