Received: by 10.213.65.68 with SMTP id h4csp3249065imn;
        Mon, 9 Apr 2018 17:27:05 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+XNZMHHKOz1qfF71HMrQgd6cnnNbtvq8Mec1g3WzPJN5jktJEARixM7/PXJ38i6E//0uqY
X-Received: by 10.99.6.198 with SMTP id 189mr27114947pgg.131.1523320025562;
        Mon, 09 Apr 2018 17:27:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523320025; cv=none;
        d=google.com; s=arc-20160816;
        b=lZw8cpUrmuaahqj2Gt55xvCf+szbzXa8cggbF6yFlT0VvewERtcbjvAZQRMXWmjml6
         anwaRLeWKqdy1nNieZZHWARk1g1vBkHzCjudTkbh8TWuv9daLpD5OBAmclaznNFpbFeg
         dE+5MJZN7M1DH/BXPVLMJNuKQogrKsHny5y/53jKMo+GqN4iE7DMhoqafgFTf5++1XK1
         lBIpWCy90SqT24yTBQkclhiH7Hss/YbAOMqcsbvWts6+o/KRMlrF3hceqZk3l5bXpSGw
         zZh7OPFqVK6640+GX7mCAmVBQ0oftRnfPJcCjJAV+rFMtf0V7w6UG32JFAfjzbRUX6b6
         aWIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=cRzPeYUsNgHd9psl66MSFNJ/+D0Qp4QUqMjivyZXEYs=;
        b=VP0aDRSt4s2Qeqx7nnaMVQa+snxTezzS73VhZQAnNdqLxSugv0UJGGtj3D+qi09ecZ
         sFm7Tal2wwpnj10p04+b4tN8W6sy/zVpcwfcNiA4Km9ickwkQPBewMPG80UtkifaCuk6
         iPcYXt48Oi2+uEDw3E0k2DrsZfzUXPo4ElM7pO2SJSirnTXsMxX205A8NqlcuiMhpAnN
         vryHL4dRxw42pa6cZaXaDPYe5bzy0htipCmVy344SiQMRlgOn2TJ4kosOWUFt91BgBtr
         7tADF44pAZDr7D7HJGTk3HtlNB1irt413XEKpcHfs+qG9zdI5SRmH6HKf9bxV40W7uaI
         uGgQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n189si1070007pfn.356.2018.04.09.17.26.28;
        Mon, 09 Apr 2018 17:27:05 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751652AbeDJAX2 (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Mon, 9 Apr 2018 20:23:28 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:34520 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751456AbeDJAX1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Apr 2018 20:23:27 -0400
Received: from localhost.localdomain (c-24-4-125-7.hsd1.ca.comcast.net [24.4.125.7])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 44F59CFA;
        Tue, 10 Apr 2018 00:23:27 +0000 (UTC)
Date:   Mon, 9 Apr 2018 17:23:26 -0700
From:   Andrew Morton <akpm@linux-foundation.org>
To:     Takashi Iwai <tiwai@suse.de>
Cc:     Ram Pai <linuxram@us.ibm.com>, Bjorn Helgaas <bhelgaas@google.com>,
        Michael Henders <hendersm@shaw.ca>,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] resource: Fix integer overflow at reallocation
Message-Id: <20180409172326.944143fd13db2601e4dee9b0@linux-foundation.org>
In-Reply-To: <20180408072026.27365-1-tiwai@suse.de>
References: <20180408072026.27365-1-tiwai@suse.de>
X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun,  8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote:

> We've got a bug report indicating a kernel panic at booting on an
> x86-32 system, and it turned out to be the invalid resource assigned
> after PCI resource reallocation.  __find_resource() first aligns the
> resource start address and resets the end address with start+size-1
> accordingly, then checks whether it's contained.  Here the end address
> may overflow the integer, although resource_contains() still returns
> true because the function validates only start and end address.  So
> this ends up with returning an invalid resource (start > end).
> 
> There was already an attempt to cover such a problem in the commit
> 47ea91b4052d ("Resource: fix wrong resource window calculation"), but
> this case is an overseen one.
> 
> This patch adds the validity check in resource_contains() to see
> whether the given resource has a valid range for avoiding the integer
> overflow problem.
> 
> ...
>
> --- a/include/linux/ioport.h
> +++ b/include/linux/ioport.h
> @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2)
>  		return false;
>  	if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET)
>  		return false;
> +	/* sanity check whether it's a valid resource range */
> +	if (r2->end < r2->start)
> +		return false;
>  	return r1->start <= r2->start && r1->end >= r2->end;
>  }

This doesn't look like the correct place to handle this?  Clearly .end
< .start is an invalid state for a resource and we should never have
constructed such a thing in the first place?  So adding a check at the
place where this resource was initially created seems to be the correct
fix?