Linux kernel -stable discussions
 help / color / mirror / Atom feed
* [PATCH 4.19 0/1] Fix CVE-2023-6915
@ 2024-08-30  8:29 hsimeliere.opensource
  2024-08-30  8:29 ` [PATCH 4.19 1/1] ida: Fix crash in ida_free when the bitmap is empty hsimeliere.opensource
  0 siblings, 1 reply; 3+ messages in thread
From: hsimeliere.opensource @ 2024-08-30  8:29 UTC (permalink / raw)
  To: stable


https://nvd.nist.gov/vuln/detail/CVE-2023-6915

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 4.19 1/1] ida: Fix crash in ida_free when the bitmap is empty
  2024-08-30  8:29 [PATCH 4.19 0/1] Fix CVE-2023-6915 hsimeliere.opensource
@ 2024-08-30  8:29 ` hsimeliere.opensource
  2024-08-30 13:05   ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: hsimeliere.opensource @ 2024-08-30  8:29 UTC (permalink / raw)
  To: stable
  Cc: Matthew Wilcox (Oracle), Zhenghan Wang, Linus Torvalds,
	Hugo SIMELIERE

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

commit af73483f4e8b6f5c68c9aa63257bdd929a9c194a upstream.

The IDA usually detects double-frees, but that detection failed to
consider the case when there are no nearby IDs allocated and so we have a
NULL bitmap rather than simply having a clear bit.  Add some tests to the
test-suite to be sure we don't inadvertently reintroduce this problem.
Unfortunately they're quite noisy so include a message to disregard
the warnings.

Reported-by: Zhenghan Wang <wzhmmmmm@gmail.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
 lib/idr.c      |  2 +-
 lib/test_ida.c | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/lib/idr.c b/lib/idr.c
index 432a985bf772..3e4035fa89dd 100644
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -471,7 +471,7 @@ static void ida_remove(struct ida *ida, int id)
 	} else {
 		btmp = bitmap->bitmap;
 	}
-	if (!test_bit(offset, btmp))
+	if (!bitmap || !test_bit(offset, btmp))
 		goto err;
 
 	__clear_bit(offset, btmp);
diff --git a/lib/test_ida.c b/lib/test_ida.c
index b06880625961..55105baa19da 100644
--- a/lib/test_ida.c
+++ b/lib/test_ida.c
@@ -150,6 +150,45 @@ static void ida_check_conv(struct ida *ida)
 	IDA_BUG_ON(ida, !ida_is_empty(ida));
 }
 
+/*
+ * Check various situations where we attempt to free an ID we don't own.
+ */
+static void ida_check_bad_free(struct ida *ida)
+{
+	unsigned long i;
+
+	printk("vvv Ignore \"not allocated\" warnings\n");
+	/* IDA is empty; all of these will fail */
+	ida_free(ida, 0);
+	for (i = 0; i < 31; i++)
+		ida_free(ida, 1 << i);
+
+	/* IDA contains a single value entry */
+	IDA_BUG_ON(ida, ida_alloc_min(ida, 3, GFP_KERNEL) != 3);
+	ida_free(ida, 0);
+	for (i = 0; i < 31; i++)
+		ida_free(ida, 1 << i);
+
+	/* IDA contains a single bitmap */
+	IDA_BUG_ON(ida, ida_alloc_min(ida, 1023, GFP_KERNEL) != 1023);
+	ida_free(ida, 0);
+	for (i = 0; i < 31; i++)
+		ida_free(ida, 1 << i);
+
+	/* IDA contains a tree */
+	IDA_BUG_ON(ida, ida_alloc_min(ida, (1 << 20) - 1, GFP_KERNEL) != (1 << 20) - 1);
+	ida_free(ida, 0);
+	for (i = 0; i < 31; i++)
+		ida_free(ida, 1 << i);
+	printk("^^^ \"not allocated\" warnings over\n");
+
+	ida_free(ida, 3);
+	ida_free(ida, 1023);
+	ida_free(ida, (1 << 20) - 1);
+
+	IDA_BUG_ON(ida, !ida_is_empty(ida));
+}
+
 static DEFINE_IDA(ida);
 
 static int ida_checks(void)
@@ -162,6 +201,7 @@ static int ida_checks(void)
 	ida_check_leaf(&ida, 1024 * 64);
 	ida_check_max(&ida);
 	ida_check_conv(&ida);
+	ida_check_bad_free(&ida);
 
 	printk("IDA: %u of %u tests passed\n", tests_passed, tests_run);
 	return (tests_run != tests_passed) ? 0 : -EINVAL;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 4.19 1/1] ida: Fix crash in ida_free when the bitmap is empty
  2024-08-30  8:29 ` [PATCH 4.19 1/1] ida: Fix crash in ida_free when the bitmap is empty hsimeliere.opensource
@ 2024-08-30 13:05   ` Greg KH
  0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2024-08-30 13:05 UTC (permalink / raw)
  To: hsimeliere.opensource
  Cc: stable, Matthew Wilcox (Oracle), Zhenghan Wang, Linus Torvalds

On Fri, Aug 30, 2024 at 10:29:55AM +0200, hsimeliere.opensource@witekio.com wrote:
> From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
> 
> commit af73483f4e8b6f5c68c9aa63257bdd929a9c194a upstream.
> 
> The IDA usually detects double-frees, but that detection failed to
> consider the case when there are no nearby IDs allocated and so we have a
> NULL bitmap rather than simply having a clear bit.  Add some tests to the
> test-suite to be sure we don't inadvertently reintroduce this problem.
> Unfortunately they're quite noisy so include a message to disregard
> the warnings.
> 
> Reported-by: Zhenghan Wang <wzhmmmmm@gmail.com>
> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
> ---
>  lib/idr.c      |  2 +-
>  lib/test_ida.c | 40 ++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 41 insertions(+), 1 deletion(-)
> 

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-30 13:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-30  8:29 [PATCH 4.19 0/1] Fix CVE-2023-6915 hsimeliere.opensource
2024-08-30  8:29 ` [PATCH 4.19 1/1] ida: Fix crash in ida_free when the bitmap is empty hsimeliere.opensource
2024-08-30 13:05   ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox