Received: by 10.213.65.68 with SMTP id h4csp43736imn; Thu, 5 Apr 2018 17:24:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+HCt5yQAGQ7OA05/OBtSiGhAl0sDlTfcXkwPbKwrFePtAS5cPClrEYzude61JgwemuueIF X-Received: by 2002:a17:902:41:: with SMTP id 59-v6mr25318307pla.248.1522974283916; Thu, 05 Apr 2018 17:24:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522974283; cv=none; d=google.com; s=arc-20160816; b=io2l1OCjW9qkU4NKT2iIRPq7rW3iX6CrzhqKauZiCIZug4AzqB5NC8LRCRP32Ghbnf +SONrtQemoGSyPOpgiuIvA1m+L4R5moJTE+Vu0cVflB3PXWFBedBwwA5IzKVQ/AY2BwM fX13xt4SbTudsAeOyonoYmsIPUYCEmJ8Dm/zQtj/wHEV+GfA6PZKAnv92JUWsobXni6R BP06/jN+aYlPg4WHx61yAYScRcX0l30lreYwLjHY3XHiHUbgLvDtF7g2cmA3D1Qm5VeF FmqiVuUvgH8S0Rfm/Xm+LWWX8lclalmdXZu/xWbKGXmzLxvq1osEbdIFQ9HuDtX2+HST dMGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:subject:cc:to :from:date:arc-authentication-results; bh=SaGkJIo1QEUCWuYLvqgaPg6SP33wSfDANV3lrZMu1YM=; b=HV/8Lz7h3i1+zRZ5pAzt4WtQhYrtBz4FeaKK7/Zxa3p9TgbhLxV+mjxXeR57b9rXqT fZjftE2620DbnpZ3jtVwYrM7cCMWv4j3TGWTdMhMlID9OiGfXtBkQiw0wR154e7vTCv7 cBETu9LMhbuwqsleYcNeG21LPARI9lfRwSGsoeJzQyZ2u0mlK9VverxqzQbIYn8c0iFd wO5PKl5yJDzATmgKDc2H/Bp4eV7TSXktA0qTLzpaK6KVNbmY+vMl/atLngf0E4yhoL1s ZNLmVrFg0Cxs6a0w4YrDJBPOVFZrvx9Hz6uQMVEFESeRVG0mJPam8vWK6OFvOl6pQ43b yw8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 9-v6si9246242plb.140.2018.04.05.17.24.29; Thu, 05 Apr 2018 17:24:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751360AbeDFAXW (ORCPT + 99 others); Thu, 5 Apr 2018 20:23:22 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47214 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751179AbeDFAXV (ORCPT ); Thu, 5 Apr 2018 20:23:21 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w360JDtP007491 for ; Thu, 5 Apr 2018 20:23:20 -0400 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h5u6sp5wy-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 05 Apr 2018 20:23:20 -0400 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 6 Apr 2018 01:23:18 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 6 Apr 2018 01:23:14 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w360NEW549741828; Fri, 6 Apr 2018 00:23:14 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 112A3AE055; Fri, 6 Apr 2018 01:13:18 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 130F5AE045; Fri, 6 Apr 2018 01:13:17 +0100 (BST) Received: from ram.oc3035372033.ibm.com (unknown [9.80.237.168]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Fri, 6 Apr 2018 01:13:16 +0100 (BST) Date: Thu, 5 Apr 2018 17:23:10 -0700 From: Ram Pai To: Takashi Iwai Cc: Bjorn Helgaas , linux-kernel@vger.kernel.org, Michael Henders Subject: Re: [PATCH] resource: Fix integer overflow at reallocation Reply-To: Ram Pai References: <20180402071616.27177-1-tiwai@suse.de> <20180402190903.GH5743@ram.oc3035372033.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-12-10) X-TM-AS-GCONF: 00 x-cbid: 18040600-0020-0000-0000-0000040EA0B1 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18040600-0021-0000-0000-000042A2B71A Message-Id: <20180406002310.GI5743@ram.oc3035372033.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-04-05_12:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1804060001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 05, 2018 at 04:40:15PM +0200, Takashi Iwai wrote: > On Mon, 02 Apr 2018 22:35:04 +0200, > Takashi Iwai wrote: > > > > On Mon, 02 Apr 2018 21:09:03 +0200, > > Ram Pai wrote: > > > > > > On Mon, Apr 02, 2018 at 09:16:16AM +0200, Takashi Iwai wrote: > > > > We've got a bug report indicating a kernel panic at booting on an > > > > x86-32 system, and it turned out to be the invalid resource assigned > > > > after reallocation. __find_resource() first aligns the resource start > > > > address and resets the end address with start+size-1 accordingly, then > > > > checks whether it's contained. Here the end address may overflow the > > > > integer, although resource_contains() still returns true because the > > > > function validates only start and end address. So this ends up with > > > > returning an invalid resource (start > end). > > > > > > > > There was already an attempt to cover such a problem in the commit > > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > > > > this case is an overseen one. > > > > > > > > This patch adds the validity check of the newly calculated resource > > > > for avoiding the integer overflow problem. > > > > > > Should we move this check "alloc.start <= alloc.end" into resource_contains()? > > > Doing so will catch all uses of such erroneous (overflowing) resources. > > > > I thought of it, too. OTOH, it's rather a validity check and doesn't > > belong to resource_contains() semantics. If the function returns > > false, you don't know whether it's an invalid resource or it's really > > not contained. > > > > We may return an error code, but I'm not sure whether such an API > > change is needed. Maybe not. > > FWIW, below is the revised one to move the check into > resource_contains(). > > My concern is, however, that the resource validity check isn't a job > of resource_contains(). OTOH, this may avoid other similar cases, so > it might be worth. > > In anyway, if there is no objection, and anyone else doesn't want to > take, I'll forward this to Andrew as a poor orphan kid. I will stand by you as a poor-orphan-buddy. :-) Reviewed-by: Ram Pai RP > > > thanks, > > Takashi > > -- 8< -- > From: Takashi Iwai > Subject: [PATCH v2] resource: Fix integer overflow at reallocation > > We've got a bug report indicating a kernel panic at booting on an > x86-32 system, and it turned out to be the invalid resource assigned > after reallocation. __find_resource() first aligns the resource start > address and resets the end address with start+size-1 accordingly, then > checks whether it's contained. Here the end address may overflow the > integer, although resource_contains() still returns true because the > function validates only start and end address. So this ends up with > returning an invalid resource (start > end). > > There was already an attempt to cover such a problem in the commit > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > this case is an overseen one. > > This patch adds the validity check in resource_contains() to see > whether the given resource has a valid range for avoiding the integer > overflow problem. > > Bugzilla: https://urldefense.proofpoint.com/v2/url?u=http-3A__bugzilla.opensuse.org_show-5Fbug.cgi-3Fid-3D1086739&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=m-UrKChQVkZtnPpjbF6YY99NbT8FBByQ-E-ygV8luxw&m=NNkNAWFZc1XRu3rkv7Y2sepSCe8re2cvNZuCJt5dWFE&s=7i3g3ZVYsUceGVK_ZKkCJIABp4l0RD59NelK3GoD8mI&e= > Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") > Reported-and-tested-by: Michael Henders > Cc: > Signed-off-by: Takashi Iwai > --- > include/linux/ioport.h | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/include/linux/ioport.h b/include/linux/ioport.h > index da0ebaec25f0..466d7be046eb 100644 > --- a/include/linux/ioport.h > +++ b/include/linux/ioport.h > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > return false; > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > return false; > + /* sanity check whether it's a valid resource range */ > + if (r2->end < r2->start) > + return false; > return r1->start <= r2->start && r1->end >= r2->end; > } > > -- > 2.16.3 -- Ram Pai