Received: by 10.213.65.68 with SMTP id h4csp2717660imn; Mon, 2 Apr 2018 12:40:16 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+i/eThIWMAWG/jKzWQgPrsRveS5mrmGYOumAaUU1JkmVXH2GSSyOxgaWqYg3dYaGI0aemD X-Received: by 2002:a17:902:2ac3:: with SMTP id j61-v6mr11011831plb.224.1522698016272; Mon, 02 Apr 2018 12:40:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522698016; cv=none; d=google.com; s=arc-20160816; b=fdQMnSChIZpNL6JPVi6LXjma79I0w2J/XfeZLLVPhUPVeQxXDzGtnNFt5pVLl5bmYc Cs+qXOkb4AoRTbld28u3JdyD5CBaSuUU1x5Nl9pHq4LLjIlemaGlvLUGmQCr9OeHBwj7 ra08H2Dr8xyCpy+32zYyxVcJe50pau5fpO8LveOgqwgRu6s6HbK9rPskAu//U3vthz+K DidAT67JOwXMTmJU83bhdDNzHCuo+Ntk5rS/673FPRrmnis0kdP2UdBTnJISCb7900O3 Z6P/eIwebUueSyhLK3r+768TTGBAlLHK2oExOJ/c3oKm7ZCwY0u63jCXXxlNyb8EYrtQ byMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:subject:cc:to :from:date:arc-authentication-results; bh=DfXfdkbdpwrYrLQM59OdiFpf5v2WCI1tnBX3WKKUFxc=; b=SHCM4hwfZq0M7FmYBiZYV7lYluvj5yoMkpIzhv7yiFqv4l481ej9OlsiN7U5yC6VDs DABWXf95oN8ZE4j5lqmnA3BLZn1sU/ABUeX4dZPbwWmLQMwJXP4H+ew7OaBLHyEEYwow Skf3DJEAjVldb594OKCKySWGF3OurSENdlq+fQZryWpwmG1+RXiWeYjHe5vSCLOxwotu aYvXAZBdYd1q9+vud2NZNPvoBmZ7Z/9GVstK3XaebsV2N1L0BbQ7d3GnamgWITlXmuyv r8gtSj8GhlBb1jZu47xFzklfFV4zTTw1DsrgM3+TEV+tavPVIDiA455katQj1o+aHVrc Q+OQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m12-v6si996041pln.302.2018.04.02.12.40.02; Mon, 02 Apr 2018 12:40:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756922AbeDBTJQ (ORCPT + 99 others); Mon, 2 Apr 2018 15:09:16 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:52510 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756743AbeDBTJO (ORCPT ); Mon, 2 Apr 2018 15:09:14 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w32J6U77101873 for ; Mon, 2 Apr 2018 15:09:14 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h3scnjem6-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Mon, 02 Apr 2018 15:09:13 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 2 Apr 2018 20:09:10 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 2 Apr 2018 20:09:08 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w32J97bP7602660; Mon, 2 Apr 2018 19:09:07 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3F99811C04C; Mon, 2 Apr 2018 20:01:25 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3BB5611C050; Mon, 2 Apr 2018 20:01:24 +0100 (BST) Received: from ram.oc3035372033.ibm.com (unknown [9.80.237.168]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Mon, 2 Apr 2018 20:01:23 +0100 (BST) Date: Mon, 2 Apr 2018 12:09:03 -0700 From: Ram Pai To: Takashi Iwai Cc: Bjorn Helgaas , linux-kernel@vger.kernel.org, Michael Henders Subject: Re: [PATCH] resource: Fix integer overflow at reallocation Reply-To: Ram Pai References: <20180402071616.27177-1-tiwai@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180402071616.27177-1-tiwai@suse.de> User-Agent: Mutt/1.5.20 (2009-12-10) X-TM-AS-GCONF: 00 x-cbid: 18040219-0008-0000-0000-000004E5D717 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18040219-0009-0000-0000-00001E78DE5A Message-Id: <20180402190903.GH5743@ram.oc3035372033.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-04-02_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804020208 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 02, 2018 at 09:16:16AM +0200, Takashi Iwai wrote: > We've got a bug report indicating a kernel panic at booting on an > x86-32 system, and it turned out to be the invalid resource assigned > after reallocation. __find_resource() first aligns the resource start > address and resets the end address with start+size-1 accordingly, then > checks whether it's contained. Here the end address may overflow the > integer, although resource_contains() still returns true because the > function validates only start and end address. So this ends up with > returning an invalid resource (start > end). > > There was already an attempt to cover such a problem in the commit > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > this case is an overseen one. > > This patch adds the validity check of the newly calculated resource > for avoiding the integer overflow problem. Should we move this check "alloc.start <= alloc.end" into resource_contains()? Doing so will catch all uses of such erroneous (overflowing) resources. RP > > Bugzilla: https://urldefense.proofpoint.com/v2/url?u=http-3A__bugzilla.opensuse.org_show-5Fbug.cgi-3Fid-3D1086739&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=m-UrKChQVkZtnPpjbF6YY99NbT8FBByQ-E-ygV8luxw&m=FoiwlR-LTJ9_EBQsLYSCqXuWrGhU1lXycdvhbaK7wOk&s=clxOtFUIAMlPNwQJZTaKnmIta9pMtJ8XprmwVd-ylvo&e= > Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") > Reported-and-tested-by: Michael Henders > Cc: > Signed-off-by: Takashi Iwai > --- > > Bjorn, I send this to you since the bug hits during PCI init, although > the culprit is in generic resource management. > > kernel/resource.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/resource.c b/kernel/resource.c > index e270b5048988..2af6c03858b9 100644 > --- a/kernel/resource.c > +++ b/kernel/resource.c > @@ -651,7 +651,8 @@ static int __find_resource(struct resource *root, struct resource *old, > alloc.start = constraint->alignf(constraint->alignf_data, &avail, > size, constraint->align); > alloc.end = alloc.start + size - 1; > - if (resource_contains(&avail, &alloc)) { > + if (alloc.start <= alloc.end && > + resource_contains(&avail, &alloc)) { > new->start = alloc.start; > new->end = alloc.end; > return 0; > -- > 2.16.2 -- Ram Pai