Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750895AbcL1Nzr (ORCPT <rfc822;w@1wt.eu>);
        Wed, 28 Dec 2016 08:55:47 -0500
Received: from mga14.intel.com ([192.55.52.115]:56593 "EHLO mga14.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750796AbcL1Nzp (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Dec 2016 08:55:45 -0500
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.33,422,1477983600"; 
   d="scan'208";a="916846400"
From: Lukasz Odzioba <lukasz.odzioba@intel.com>
To: linux-kernel@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com,
        hpa@zytor.com, x86@kernel.org, bp@alien8.de, luto@kernel.org,
        slaoub@gmail.com, bp@suse.de, dave.hansen@linux.intel.com,
        andi.kleen@intel.com
Cc: Lukasz Odzioba <lukasz.odzioba@intel.com>
Subject: [PATCH 1/1] x86: sanitize argument of clearcpuid command-line option
Date: Wed, 28 Dec 2016 14:55:40 +0100
Message-Id: <1482933340-11857-1-git-send-email-lukasz.odzioba@intel.com>
X-Mailer: git-send-email 1.8.3.1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1491
Lines: 39

A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().

Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")

Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
---
As an example let's change definition of one_hundred variable:
ffffffff81c4eeec d one_hundred
ffffffff81d69720 D boot_cpu_data (0x14 is x86_capability offset)

8*(0xffffffff81d69734-0xffffffff81c4eeec) => 9257536 -2 because we
want to clear the second bit. With clearcpuid=-9257534 we change the
definition of one_hundread to 96 which is used among other things
as sysfs' max value for swappiness, so we can check the effect like so:
# echo 96 >  /proc/sys/vm/swappiness
# echo 97 >  /proc/sys/vm/swappiness
-bash: echo: write error: Invalid argument
---
 arch/x86/kernel/cpu/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index dc1697c..9bab7a8 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1221,7 +1221,7 @@ static __init int setup_disablecpuid(char *arg)
 {
 	int bit;
 
-	if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+	if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
 		setup_clear_cpu_cap(bit);
 	else
 		return 0;
-- 
1.8.3.1