* [PATCH] x86/efi: fix potential NULL pointer dereference
@ 2015-04-24 6:07 ` Firo Yang
0 siblings, 0 replies; 8+ messages in thread
From: Firo Yang @ 2015-04-24 6:07 UTC (permalink / raw)
To: matt.fleming-ral2JQCrhuEAvxtiuMwx3w
Cc: tglx-hfZtesqFncYOwBW4kG4KsQ, mingo-H+wXaHxf7aLQT0dZR+AlfA,
hpa-YMNOUZJC4hwAvxtiuMwx3w, x86-DgEjT+Ai2ygdnm+yROfE0A,
linux-efi-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA, Firo Yang
In this patch, I add error-handing code for kmalloc() in
arch/x86/platform/efi/efi_64.c::efi_call_phys_prolog().
If kmalloc() failed to alloc memroy, save_pgd will be a NULL
pointer dereferenced by subsequent codes.
Signed-off-by: Firo Yang <firogm@gmail.com>
---
arch/x86/platform/efi/efi_64.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index a0ac0f9..62326c4 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
+ if (unlikely(!save_pgd))
+ return NULL;
for (pgd = 0; pgd < n_pgds; pgd++) {
save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
--
2.1.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] x86/efi: fix potential NULL pointer dereference
@ 2015-04-24 6:07 ` Firo Yang
0 siblings, 0 replies; 8+ messages in thread
From: Firo Yang @ 2015-04-24 6:07 UTC (permalink / raw)
To: matt.fleming-ral2JQCrhuEAvxtiuMwx3w
Cc: tglx-hfZtesqFncYOwBW4kG4KsQ, mingo-H+wXaHxf7aLQT0dZR+AlfA,
hpa-YMNOUZJC4hwAvxtiuMwx3w, x86-DgEjT+Ai2ygdnm+yROfE0A,
linux-efi-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA, Firo Yang
In this patch, I add error-handing code for kmalloc() in
arch/x86/platform/efi/efi_64.c::efi_call_phys_prolog().
If kmalloc() failed to alloc memroy, save_pgd will be a NULL
pointer dereferenced by subsequent codes.
Signed-off-by: Firo Yang <firogm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
arch/x86/platform/efi/efi_64.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index a0ac0f9..62326c4 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
+ if (unlikely(!save_pgd))
+ return NULL;
for (pgd = 0; pgd < n_pgds; pgd++) {
save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
--
2.1.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] x86/efi: fix potential NULL pointer dereference
[not found] ` <1429855639-14706-1-git-send-email-firogm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2015-04-24 10:42 ` Dan Carpenter
2015-04-24 15:33 ` James Bottomley
1 sibling, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2015-04-24 10:42 UTC (permalink / raw)
To: Firo Yang
Cc: matt.fleming-ral2JQCrhuEAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
mingo-H+wXaHxf7aLQT0dZR+AlfA, hpa-YMNOUZJC4hwAvxtiuMwx3w,
x86-DgEjT+Ai2ygdnm+yROfE0A, linux-efi-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
On Fri, Apr 24, 2015 at 02:07:19PM +0800, Firo Yang wrote:
> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
> index a0ac0f9..62326c4 100644
> --- a/arch/x86/platform/efi/efi_64.c
> +++ b/arch/x86/platform/efi/efi_64.c
> @@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
>
> n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
> save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
> + if (unlikely(!save_pgd))
> + return NULL;
A bunch of init code doesn't check for NULL because it won't happen in
real life. It makes my life a little bit harder because it introduces
meaningless static checker warnings... Oh well.
Don't add unlikely() here because it won't help with benchmarks
and it makes the code harder to read.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] x86/efi: fix potential NULL pointer dereference
@ 2015-04-24 10:42 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2015-04-24 10:42 UTC (permalink / raw)
To: Firo Yang
Cc: matt.fleming-ral2JQCrhuEAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
mingo-H+wXaHxf7aLQT0dZR+AlfA, hpa-YMNOUZJC4hwAvxtiuMwx3w,
x86-DgEjT+Ai2ygdnm+yROfE0A, linux-efi-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
On Fri, Apr 24, 2015 at 02:07:19PM +0800, Firo Yang wrote:
> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
> index a0ac0f9..62326c4 100644
> --- a/arch/x86/platform/efi/efi_64.c
> +++ b/arch/x86/platform/efi/efi_64.c
> @@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
>
> n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
> save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
> + if (unlikely(!save_pgd))
> + return NULL;
A bunch of init code doesn't check for NULL because it won't happen in
real life. It makes my life a little bit harder because it introduces
meaningless static checker warnings... Oh well.
Don't add unlikely() here because it won't help with benchmarks
and it makes the code harder to read.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] x86/efi: fix potential NULL pointer dereference
[not found] ` <1429855639-14706-1-git-send-email-firogm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2015-04-24 15:33 ` James Bottomley
2015-04-24 15:33 ` James Bottomley
1 sibling, 0 replies; 8+ messages in thread
From: James Bottomley @ 2015-04-24 15:33 UTC (permalink / raw)
To: Firo Yang
Cc: matt.fleming-ral2JQCrhuEAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
mingo-H+wXaHxf7aLQT0dZR+AlfA, hpa-YMNOUZJC4hwAvxtiuMwx3w,
x86-DgEjT+Ai2ygdnm+yROfE0A, linux-efi-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
On Fri, 2015-04-24 at 14:07 +0800, Firo Yang wrote:
> In this patch, I add error-handing code for kmalloc() in
> arch/x86/platform/efi/efi_64.c::efi_call_phys_prolog().
>
> If kmalloc() failed to alloc memroy, save_pgd will be a NULL
> pointer dereferenced by subsequent codes.
>
> Signed-off-by: Firo Yang <firogm@gmail.com>
> ---
> arch/x86/platform/efi/efi_64.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
> index a0ac0f9..62326c4 100644
> --- a/arch/x86/platform/efi/efi_64.c
> +++ b/arch/x86/platform/efi/efi_64.c
> @@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
>
> n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
> save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
> + if (unlikely(!save_pgd))
> + return NULL;
>
> for (pgd = 0; pgd < n_pgds; pgd++) {
> save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
First explain what you're trying to achieve? I'm asking because the
code you've introduced is actively harmful: the return from
efi_call_phys_prolog() isn't checked for errors, so the error you return
won't be handled and we'll likely trigger a much harder to detect error
if the allocation you're checking fails. Effectively the prolog/epilog
do nothing and we never restore the pgds we hijacked, yet the system
continues on with the memory map in an unexpected state.
In my opinion the NULL deref we get further down in the prolog code is
actually a far better indicator of failure than what you're proposing.
James
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] x86/efi: fix potential NULL pointer dereference
@ 2015-04-24 15:33 ` James Bottomley
0 siblings, 0 replies; 8+ messages in thread
From: James Bottomley @ 2015-04-24 15:33 UTC (permalink / raw)
To: Firo Yang
Cc: matt.fleming-ral2JQCrhuEAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
mingo-H+wXaHxf7aLQT0dZR+AlfA, hpa-YMNOUZJC4hwAvxtiuMwx3w,
x86-DgEjT+Ai2ygdnm+yROfE0A, linux-efi-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
On Fri, 2015-04-24 at 14:07 +0800, Firo Yang wrote:
> In this patch, I add error-handing code for kmalloc() in
> arch/x86/platform/efi/efi_64.c::efi_call_phys_prolog().
>
> If kmalloc() failed to alloc memroy, save_pgd will be a NULL
> pointer dereferenced by subsequent codes.
>
> Signed-off-by: Firo Yang <firogm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
> arch/x86/platform/efi/efi_64.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
> index a0ac0f9..62326c4 100644
> --- a/arch/x86/platform/efi/efi_64.c
> +++ b/arch/x86/platform/efi/efi_64.c
> @@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
>
> n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
> save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
> + if (unlikely(!save_pgd))
> + return NULL;
>
> for (pgd = 0; pgd < n_pgds; pgd++) {
> save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
First explain what you're trying to achieve? I'm asking because the
code you've introduced is actively harmful: the return from
efi_call_phys_prolog() isn't checked for errors, so the error you return
won't be handled and we'll likely trigger a much harder to detect error
if the allocation you're checking fails. Effectively the prolog/epilog
do nothing and we never restore the pgds we hijacked, yet the system
continues on with the memory map in an unexpected state.
In my opinion the NULL deref we get further down in the prolog code is
actually a far better indicator of failure than what you're proposing.
James
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] x86/efi: fix potential NULL pointer dereference
2015-04-24 15:33 ` James Bottomley
@ 2015-04-25 7:15 ` Firo Yang
-1 siblings, 0 replies; 8+ messages in thread
From: Firo Yang @ 2015-04-25 7:15 UTC (permalink / raw)
To: James Bottomley
Cc: matt.fleming, tglx, mingo, hpa, x86, linux-efi, kernel-janitors
On Fri, Apr 24, 2015 at 08:33:29AM -0700, James Bottomley wrote:
<On Fri, 2015-04-24 at 14:07 +0800, Firo Yang wrote:
<> In this patch, I add error-handing code for kmalloc() in
<> arch/x86/platform/efi/efi_64.c::efi_call_phys_prolog().
<>
<> If kmalloc() failed to alloc memroy, save_pgd will be a NULL
<> pointer dereferenced by subsequent codes.
<>
<> Signed-off-by: Firo Yang <firogm@gmail.com>
<> ---
<> arch/x86/platform/efi/efi_64.c | 2 ++
<> 1 file changed, 2 insertions(+)
<>
<> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
<> index a0ac0f9..62326c4 100644
<> --- a/arch/x86/platform/efi/efi_64.c
<> +++ b/arch/x86/platform/efi/efi_64.c
<> @@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
<>
<> n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
<> save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
<> + if (unlikely(!save_pgd))
<> + return NULL;
<>
<> for (pgd = 0; pgd < n_pgds; pgd++) {
<> save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
<
<First explain what you're trying to achieve? I'm asking because the
<code you've introduced is actively harmful: the return from
<efi_call_phys_prolog() isn't checked for errors, so the error you return
<won't be handled and we'll likely trigger a much harder to detect error
<if the allocation you're checking fails. Effectively the prolog/epilog
<do nothing and we never restore the pgds we hijacked, yet the system
<continues on with the memory map in an unexpected state.
<
<In my opinion the NULL deref we get further down in the prolog code is
<actually a far better indicator of failure than what you're proposing.
<
<James
<
I feel sorry for introducing this problematic and harmful patch.
I will do more checks and tests before submitting patch next time.
The deep reason is that I did not fully understand these code and
add the error-handing code roughly.
Regards
Firo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] x86/efi: fix potential NULL pointer dereference
@ 2015-04-25 7:15 ` Firo Yang
0 siblings, 0 replies; 8+ messages in thread
From: Firo Yang @ 2015-04-25 7:15 UTC (permalink / raw)
To: James Bottomley
Cc: matt.fleming, tglx, mingo, hpa, x86, linux-efi, kernel-janitors
On Fri, Apr 24, 2015 at 08:33:29AM -0700, James Bottomley wrote:
<On Fri, 2015-04-24 at 14:07 +0800, Firo Yang wrote:
<> In this patch, I add error-handing code for kmalloc() in
<> arch/x86/platform/efi/efi_64.c::efi_call_phys_prolog().
<>
<> If kmalloc() failed to alloc memroy, save_pgd will be a NULL
<> pointer dereferenced by subsequent codes.
<>
<> Signed-off-by: Firo Yang <firogm@gmail.com>
<> ---
<> arch/x86/platform/efi/efi_64.c | 2 ++
<> 1 file changed, 2 insertions(+)
<>
<> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
<> index a0ac0f9..62326c4 100644
<> --- a/arch/x86/platform/efi/efi_64.c
<> +++ b/arch/x86/platform/efi/efi_64.c
<> @@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void)
<>
<> n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
<> save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
<> + if (unlikely(!save_pgd))
<> + return NULL;
<>
<> for (pgd = 0; pgd < n_pgds; pgd++) {
<> save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
<
<First explain what you're trying to achieve? I'm asking because the
<code you've introduced is actively harmful: the return from
<efi_call_phys_prolog() isn't checked for errors, so the error you return
<won't be handled and we'll likely trigger a much harder to detect error
<if the allocation you're checking fails. Effectively the prolog/epilog
<do nothing and we never restore the pgds we hijacked, yet the system
<continues on with the memory map in an unexpected state.
<
<In my opinion the NULL deref we get further down in the prolog code is
<actually a far better indicator of failure than what you're proposing.
<
<James
<
I feel sorry for introducing this problematic and harmful patch.
I will do more checks and tests before submitting patch next time.
The deep reason is that I did not fully understand these code and
add the error-handing code roughly.
Regards
Firo
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-04-25 7:15 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-24 6:07 [PATCH] x86/efi: fix potential NULL pointer dereference Firo Yang
2015-04-24 6:07 ` Firo Yang
[not found] ` <1429855639-14706-1-git-send-email-firogm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-04-24 10:42 ` Dan Carpenter
2015-04-24 10:42 ` Dan Carpenter
2015-04-24 15:33 ` James Bottomley
2015-04-24 15:33 ` James Bottomley
2015-04-25 7:15 ` Firo Yang
2015-04-25 7:15 ` Firo Yang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.