Received: by 10.192.165.148 with SMTP id m20csp2489042imm; Sun, 22 Apr 2018 08:05:13 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+C4yD1wCrW9ZdnKgSFVbHbpCXKYhaIh/FngWl+e+9V4A3MbgTYWJj5fH+xAJyaRTzW6ojt X-Received: by 2002:a17:902:2006:: with SMTP id n6-v6mr17799623pla.125.1524409513131; Sun, 22 Apr 2018 08:05:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524409513; cv=none; d=google.com; s=arc-20160816; b=UrHs6bCoYBywLaxQBn76g3VYk7yKXsoD3TuHzZKw3vspFsoOzLp1i4HtTu6j8UGFW8 4PGEzVg53q85/y6iN7ghA2Y0Mriy3TKZY1oLWf6/k8IvQvoBtxkn9tAh/wbu2vCtwUA8 AVO8run2H6/L+D7UQ5/gwjX61ntK6srFSGtVoPICMRIFXVjBT1JJh8ym/eSDxOn8/QRq bB0jYO97cGKdEw1sC5PlxS7hi5rrAi4Rx8llfbN9E94UtUVJmpGLrcu15UTzcgvC5NGi uKMUGvwkY3OL8y8hj5teY223fkyhtllutLs9eftAt6c5UbyzQCsTf2sWFeKuq5Z/vic+ wPPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=BjlxJGmAw87VQtmAMlRPg1/ay261RJonJRC6syactUM=; b=EvFMB0TkZHFn/WD4vQDvcVm1avMH/kvhkv4apT1wstsnG4Vqf7Qr5I7vPat2Kdn5JH FJqg9CYTQN/GOrWgiIzlxEAgIwXeFeFoJNgMbJuCd1U3uo3saGww8afWVCBuUAPS1QH8 Zf9T/9ZnnlqK9vqMeq/452yzDEw/AHYo2U+UdNx5llnQiObZIRgQuasYzDLFOJBWcjDI zeZJHNUYjp+EGg7OO8quvtrRIDeGTGJljreAvftFtIc65B/mBdXOy/1vc7eTUoA66jxY z2UBKBSzNlz+HY+SQsK3cOSfsaE+Q6JwUcZvdgyey2JIWGkiJDvjJX+3fv6sj71+eSG5 dhng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y18si9095021pfe.286.2018.04.22.08.04.59; Sun, 22 Apr 2018 08:05:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756613AbeDVOMD (ORCPT + 99 others); Sun, 22 Apr 2018 10:12:03 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:54660 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756037AbeDVOLx (ORCPT ); Sun, 22 Apr 2018 10:11:53 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2DD42CC2; Sun, 22 Apr 2018 14:11:53 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Michael Henders , Andrew Morton , Ram Pai , Bjorn Helgaas , Linus Torvalds Subject: [PATCH 4.9 07/95] resource: fix integer overflow at reallocation Date: Sun, 22 Apr 2018 15:52:36 +0200 Message-Id: <20180422135210.730682234@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135210.432103639@linuxfoundation.org> References: <20180422135210.432103639@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 60bb83b81169820c691fbfa33a6a4aef32aa4b0b upstream. We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid PCI resource assigned after reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one. This patch adds the validity check of the newly calculated resource for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Signed-off-by: Takashi Iwai Reported-by: Michael Henders Tested-by: Michael Henders Reviewed-by: Andrew Morton Cc: Ram Pai Cc: Bjorn Helgaas Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- kernel/resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/kernel/resource.c +++ b/kernel/resource.c @@ -633,7 +633,8 @@ static int __find_resource(struct resour alloc.start = constraint->alignf(constraint->alignf_data, &avail, size, constraint->align); alloc.end = alloc.start + size - 1; - if (resource_contains(&avail, &alloc)) { + if (alloc.start <= alloc.end && + resource_contains(&avail, &alloc)) { new->start = alloc.start; new->end = alloc.end; return 0;