From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zijun Hu <zijun_hu@htc.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Will Deacon <will.deacon@arm.com>
Subject: [PATCH 4.4 020/138] arm64: mm: avoid fdt_check_header() before the FDT is fully mapped
Date: Thu, 18 Aug 2016 15:57:10 +0200 [thread overview]
Message-ID: <20160818135556.350270201@linuxfoundation.org> (raw)
In-Reply-To: <20160818135553.377018690@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 04a848106193b134741672f7e4e444b50c70b631 upstream.
As reported by Zijun, the fdt_check_header() call in __fixmap_remap_fdt()
is not safe since it is not guaranteed that the FDT header is mapped
completely. Due to the minimum alignment of 8 bytes, the only fields we
can assume to be mapped are 'magic' and 'totalsize'.
Since the OF layer is in charge of validating the FDT image, and we are
only interested in making reasonably sure that the size field contains
a meaningful value, replace the fdt_check_header() call with an explicit
comparison of the magic field's value against the expected value.
Reported-by: Zijun Hu <zijun_hu@htc.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -652,9 +652,9 @@ void *__init fixmap_remap_fdt(phys_addr_
/*
* Check whether the physical FDT address is set and meets the minimum
* alignment requirement. Since we are relying on MIN_FDT_ALIGN to be
- * at least 8 bytes so that we can always access the size field of the
- * FDT header after mapping the first chunk, double check here if that
- * is indeed the case.
+ * at least 8 bytes so that we can always access the magic and size
+ * fields of the FDT header after mapping the first chunk, double check
+ * here if that is indeed the case.
*/
BUILD_BUG_ON(MIN_FDT_ALIGN < 8);
if (!dt_phys || dt_phys % MIN_FDT_ALIGN)
@@ -682,7 +682,7 @@ void *__init fixmap_remap_fdt(phys_addr_
create_mapping(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base,
SWAPPER_BLOCK_SIZE, prot);
- if (fdt_check_header(dt_virt) != 0)
+ if (fdt_magic(dt_virt) != FDT_MAGIC)
return NULL;
size = fdt_totalsize(dt_virt);
next prev parent reply other threads:[~2016-08-18 14:03 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160818140229uscas1p28936a684c22cfb777077f1c973fad437@uscas1p2.samsung.com>
[not found] ` <20160818135553.377018690@linuxfoundation.org>
2016-08-18 13:56 ` [PATCH 4.4 001/138] usb: gadget: avoid exposing kernel stack Greg Kroah-Hartman
2016-08-18 13:56 ` [PATCH 4.4 002/138] usb: f_fs: off by one bug in _ffs_func_bind() Greg Kroah-Hartman
2016-08-18 13:56 ` [PATCH 4.4 004/138] usb: quirks: Add no-lpm quirk for Elan Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 010/138] arm64: debug: unmask PSTATE.D earlier Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 012/138] tty: serial: msm: Dont read off end of tx fifo Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 014/138] tty/serial: atmel: fix RS485 half duplex with DMA Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 015/138] gpio: pca953x: Fix NBANK calculation for PCA9536 Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 016/138] gpio: intel-mid: Remove potentially harmful code Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 017/138] Bluetooth: hci_intel: Fix null gpio desc pointer dereference Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 018/138] pinctrl: cherryview: prevent concurrent access to GPIO controllers Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 019/138] arm64: dts: rockchip: fixes the gic400 2nd region size for rk3368 Greg Kroah-Hartman
2016-08-18 13:57 ` Greg Kroah-Hartman [this message]
2016-08-18 13:57 ` [PATCH 4.4 022/138] KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 023/138] KVM: MTRR: fix kvm_mtrr_check_gfn_range_consistency page fault Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 044/138] EDAC: Correct channel count limit Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 046/138] ovl: disallow overlayfs as upperdir Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 047/138] remoteproc: Fix potential race condition in rproc_add Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 048/138] ARC: mm: dont loose PTE_SPECIAL in pte_modify() Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 049/138] jbd2: make journal y2038 safe Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 064/138] nfsd: dont return an unhashed lock stateid after taking mutex Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 066/138] iommu/exynos: Suppress unbinding to prevent system failure Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 067/138] iommu/vt-d: Return error code in domain_context_mapping_one() Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 068/138] iommu/amd: Handle IOMMU_DOMAIN_DMA in ops->domain_free call-back Greg Kroah-Hartman
2016-08-18 13:57 ` [PATCH 4.4 069/138] iommu/amd: Init unity mappings only for dma_ops domains Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 070/138] iommu/amd: Update Alias-DTE in update_device_table() Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 071/138] audit: fix a double fetch in audit_log_single_execve_arg() Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 072/138] ARM: dts: sunxi: Add a startup delay for fixed regulator enabled phys Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 074/138] w1:omap_hdq: fix regression Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 076/138] drm/amdgpu: Poll for both connect/disconnect on analog connectors Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 077/138] drm/amdgpu: support backlight control for UNIPHY3 Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 078/138] drm/amdgpu: Disable RPM helpers while reprobing connectors on resume Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 080/138] drm/amdgpu/gmc7: add missing mullins case Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 082/138] drm/radeon: Poll for both connect/disconnect on analog connectors Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 083/138] drm/radeon: fix firmware info version checks Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 086/138] drm/nouveau/gr/nv3x: fix instobj write offsets in gr setup Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 087/138] drm/nouveau/fbcon: fix font width not divisible by 8 Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 088/138] drm: Restore double clflush on the last partial cacheline Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 092/138] balloon: check the number of available pages in leak balloon Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 093/138] ftrace/recordmcount: Work around for addition of metag magic but not relocations Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 095/138] block: add missing group association in bio-cloning functions Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 096/138] block: fix bdi vs gendisk lifetime mismatch Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 097/138] mtd: nand: fix bug writing 1 byte less than page size Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 098/138] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 099/138] ALSA: hda: Fix krealloc() with __GFP_ZERO usage Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 100/138] ALSA: hda/realtek - Cant adjust speakers volume on a Dell AIO Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 101/138] ALSA: hda: add AMD Bonaire AZ PCI ID with proper driver caps Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 102/138] ALSA: hda - Fix headset mic detection problem for two dell machines Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 103/138] IB/mlx5: Fix MODIFY_QP command input structure Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 111/138] IB/IWPM: Fix a potential skb leak Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 112/138] IB/mlx4: Fix the SQ size of an RC QP Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 113/138] IB/mlx4: Fix error flow when sending mads under SRIOV Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 114/138] IB/mlx4: Fix memory leak if QP creation failed Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 116/138] ubi: Make volume resize power cut aware Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 117/138] ubi: Fix early logging Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 124/138] target: Fix ordered task CHECK_CONDITION early exception handling Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 125/138] Input: elan_i2c - properly wake up touchpad on ASUS laptops Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 127/138] SUNRPC: Dont allocate a full sockaddr_storage for tracing Greg Kroah-Hartman
2016-08-18 13:58 ` [PATCH 4.4 129/138] MIPS: Dont register r4k sched clock when CPUFREQ enabled Greg Kroah-Hartman
2016-08-18 13:59 ` [PATCH 4.4 130/138] MIPS: hpet: Increase HPET_MIN_PROG_DELTA and decrease HPET_MIN_CYCLES Greg Kroah-Hartman
2016-08-18 13:59 ` [PATCH 4.4 133/138] ACPI / EC: Work around method reentrancy limit in ACPICA for _Qxx Greg Kroah-Hartman
2016-08-18 13:59 ` [PATCH 4.4 134/138] lpfc: fix oops in lpfc_sli4_scmd_to_wqidx_distr() from lpfc_send_taskmgmt() Greg Kroah-Hartman
2016-08-18 13:59 ` [PATCH 4.4 135/138] rtc: s3c: Add s3c_rtc_{enable/disable}_clk in s3c_rtc_setfreq() Greg Kroah-Hartman
2016-08-18 20:07 ` [PATCH 4.4 000/138] 4.4.19-stable review Guenter Roeck
2016-08-18 21:35 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160818135556.350270201@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
--cc=zijun_hu@htc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).