* [PATCH v2] resource: Fix integer overflow at reallocation @ 2018-04-08 7:20 Takashi Iwai 2018-04-10 0:23 ` Andrew Morton 0 siblings, 1 reply; 7+ messages in thread From: Takashi Iwai @ 2018-04-08 7:20 UTC (permalink / raw) To: Andrew Morton; +Cc: Ram Pai, Bjorn Helgaas, Michael Henders, linux-kernel We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid resource assigned after PCI resource reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one. This patch adds the validity check in resource_contains() to see whether the given resource has a valid range for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Reported-and-tested-by: Michael Henders <hendersm@shaw.ca> Reviewed-by: Ram Pai <linuxram@us.ibm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> --- Andrew, could you pick this? It's still in a wild west... Thanks! v1->v2: check in resource_contains() instead of in __find_resource() include/linux/ioport.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/ioport.h b/include/linux/ioport.h index da0ebaec25f0..466d7be046eb 100644 --- a/include/linux/ioport.h +++ b/include/linux/ioport.h @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) return false; if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) return false; + /* sanity check whether it's a valid resource range */ + if (r2->end < r2->start) + return false; return r1->start <= r2->start && r1->end >= r2->end; } -- 2.16.3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] resource: Fix integer overflow at reallocation 2018-04-08 7:20 [PATCH v2] resource: Fix integer overflow at reallocation Takashi Iwai @ 2018-04-10 0:23 ` Andrew Morton 2018-04-10 4:54 ` Takashi Iwai 0 siblings, 1 reply; 7+ messages in thread From: Andrew Morton @ 2018-04-10 0:23 UTC (permalink / raw) To: Takashi Iwai; +Cc: Ram Pai, Bjorn Helgaas, Michael Henders, linux-kernel On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote: > We've got a bug report indicating a kernel panic at booting on an > x86-32 system, and it turned out to be the invalid resource assigned > after PCI resource reallocation. __find_resource() first aligns the > resource start address and resets the end address with start+size-1 > accordingly, then checks whether it's contained. Here the end address > may overflow the integer, although resource_contains() still returns > true because the function validates only start and end address. So > this ends up with returning an invalid resource (start > end). > > There was already an attempt to cover such a problem in the commit > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > this case is an overseen one. > > This patch adds the validity check in resource_contains() to see > whether the given resource has a valid range for avoiding the integer > overflow problem. > > ... > > --- a/include/linux/ioport.h > +++ b/include/linux/ioport.h > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > return false; > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > return false; > + /* sanity check whether it's a valid resource range */ > + if (r2->end < r2->start) > + return false; > return r1->start <= r2->start && r1->end >= r2->end; > } This doesn't look like the correct place to handle this? Clearly .end < .start is an invalid state for a resource and we should never have constructed such a thing in the first place? So adding a check at the place where this resource was initially created seems to be the correct fix? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] resource: Fix integer overflow at reallocation 2018-04-10 0:23 ` Andrew Morton @ 2018-04-10 4:54 ` Takashi Iwai 2018-04-10 20:42 ` Andrew Morton 0 siblings, 1 reply; 7+ messages in thread From: Takashi Iwai @ 2018-04-10 4:54 UTC (permalink / raw) To: Andrew Morton; +Cc: Ram Pai, Bjorn Helgaas, Michael Henders, linux-kernel On Tue, 10 Apr 2018 02:23:26 +0200, Andrew Morton wrote: > > On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > We've got a bug report indicating a kernel panic at booting on an > > x86-32 system, and it turned out to be the invalid resource assigned > > after PCI resource reallocation. __find_resource() first aligns the > > resource start address and resets the end address with start+size-1 > > accordingly, then checks whether it's contained. Here the end address > > may overflow the integer, although resource_contains() still returns > > true because the function validates only start and end address. So > > this ends up with returning an invalid resource (start > end). > > > > There was already an attempt to cover such a problem in the commit > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > > this case is an overseen one. > > > > This patch adds the validity check in resource_contains() to see > > whether the given resource has a valid range for avoiding the integer > > overflow problem. > > > > ... > > > > --- a/include/linux/ioport.h > > +++ b/include/linux/ioport.h > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > > return false; > > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > > return false; > > + /* sanity check whether it's a valid resource range */ > > + if (r2->end < r2->start) > > + return false; > > return r1->start <= r2->start && r1->end >= r2->end; > > } > > This doesn't look like the correct place to handle this? Clearly .end > < .start is an invalid state for a resource and we should never have > constructed such a thing in the first place? So adding a check at the > place where this resource was initially created seems to be the correct > fix? Yes, that was also my first thought and actually the v1 patch was like that. The v2 one was by Ram's suggestion so that we can cover potential bugs by all other callers as well. I don't mind in which way to fix; below is the v1 version. Please choose the one you think better. Thanks! Takashi -- 8< -- From: Takashi Iwai <tiwai@suse.de> Subject: [PATCH v1] resource: Fix integer overflow at reallocation We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid PCI resource assigned after reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one. This patch adds the validity check of the newly calculated resource for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Reported-and-tested-by: Michael Henders <hendersm@shaw.ca> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> --- kernel/resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/resource.c b/kernel/resource.c index e270b5048988..2af6c03858b9 100644 --- a/kernel/resource.c +++ b/kernel/resource.c @@ -651,7 +651,8 @@ static int __find_resource(struct resource *root, struct resource *old, alloc.start = constraint->alignf(constraint->alignf_data, &avail, size, constraint->align); alloc.end = alloc.start + size - 1; - if (resource_contains(&avail, &alloc)) { + if (alloc.start <= alloc.end && + resource_contains(&avail, &alloc)) { new->start = alloc.start; new->end = alloc.end; return 0; -- 2.16.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] resource: Fix integer overflow at reallocation 2018-04-10 4:54 ` Takashi Iwai @ 2018-04-10 20:42 ` Andrew Morton 2018-04-11 0:37 ` Ram Pai 0 siblings, 1 reply; 7+ messages in thread From: Andrew Morton @ 2018-04-10 20:42 UTC (permalink / raw) To: Takashi Iwai; +Cc: Ram Pai, Bjorn Helgaas, Michael Henders, linux-kernel On Tue, 10 Apr 2018 06:54:11 +0200 Takashi Iwai <tiwai@suse.de> wrote: > On Tue, 10 Apr 2018 02:23:26 +0200, > Andrew Morton wrote: > > > > On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > > > We've got a bug report indicating a kernel panic at booting on an > > > x86-32 system, and it turned out to be the invalid resource assigned > > > after PCI resource reallocation. __find_resource() first aligns the > > > resource start address and resets the end address with start+size-1 > > > accordingly, then checks whether it's contained. Here the end address > > > may overflow the integer, although resource_contains() still returns > > > true because the function validates only start and end address. So > > > this ends up with returning an invalid resource (start > end). > > > > > > There was already an attempt to cover such a problem in the commit > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > > > this case is an overseen one. > > > > > > This patch adds the validity check in resource_contains() to see > > > whether the given resource has a valid range for avoiding the integer > > > overflow problem. > > > > > > ... > > > > > > --- a/include/linux/ioport.h > > > +++ b/include/linux/ioport.h > > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > > > return false; > > > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > > > return false; > > > + /* sanity check whether it's a valid resource range */ > > > + if (r2->end < r2->start) > > > + return false; > > > return r1->start <= r2->start && r1->end >= r2->end; > > > } > > > > This doesn't look like the correct place to handle this? Clearly .end > > < .start is an invalid state for a resource and we should never have > > constructed such a thing in the first place? So adding a check at the > > place where this resource was initially created seems to be the correct > > fix? > > Yes, that was also my first thought and actually the v1 patch was like > that. Yes, I do prefer. > The v2 one was by Ram's suggestion so that we can cover > potential bugs by all other callers as well. That could be done as a separate thing? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] resource: Fix integer overflow at reallocation 2018-04-10 20:42 ` Andrew Morton @ 2018-04-11 0:37 ` Ram Pai 2018-04-11 6:16 ` Takashi Iwai 0 siblings, 1 reply; 7+ messages in thread From: Ram Pai @ 2018-04-11 0:37 UTC (permalink / raw) To: Andrew Morton; +Cc: Takashi Iwai, Bjorn Helgaas, Michael Henders, linux-kernel On Tue, Apr 10, 2018 at 01:42:39PM -0700, Andrew Morton wrote: > On Tue, 10 Apr 2018 06:54:11 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > On Tue, 10 Apr 2018 02:23:26 +0200, > > Andrew Morton wrote: > > > > > > On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > > > > > We've got a bug report indicating a kernel panic at booting on an > > > > x86-32 system, and it turned out to be the invalid resource assigned > > > > after PCI resource reallocation. __find_resource() first aligns the > > > > resource start address and resets the end address with start+size-1 > > > > accordingly, then checks whether it's contained. Here the end address > > > > may overflow the integer, although resource_contains() still returns > > > > true because the function validates only start and end address. So > > > > this ends up with returning an invalid resource (start > end). > > > > > > > > There was already an attempt to cover such a problem in the commit > > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > > > > this case is an overseen one. > > > > > > > > This patch adds the validity check in resource_contains() to see > > > > whether the given resource has a valid range for avoiding the integer > > > > overflow problem. > > > > > > > > ... > > > > > > > > --- a/include/linux/ioport.h > > > > +++ b/include/linux/ioport.h > > > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > > > > return false; > > > > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > > > > return false; > > > > + /* sanity check whether it's a valid resource range */ > > > > + if (r2->end < r2->start) > > > > + return false; > > > > return r1->start <= r2->start && r1->end >= r2->end; > > > > } > > > > > > This doesn't look like the correct place to handle this? Clearly .end > > > < .start is an invalid state for a resource and we should never have > > > constructed such a thing in the first place? So adding a check at the > > > place where this resource was initially created seems to be the correct > > > fix? > > > > Yes, that was also my first thought and actually the v1 patch was like > > that. > > Yes, I do prefer. > > > The v2 one was by Ram's suggestion so that we can cover > > potential bugs by all other callers as well. > > That could be done as a separate thing? the first approach will fix overflows in just that particular case. The second approach will catch and error-out overflows anywhere. There is a short-term down side to the second approach; it might cause a slew of error reports but will eventually help clean up all bad behavior. RP ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] resource: Fix integer overflow at reallocation 2018-04-11 0:37 ` Ram Pai @ 2018-04-11 6:16 ` Takashi Iwai 2018-04-11 14:08 ` Ram Pai 0 siblings, 1 reply; 7+ messages in thread From: Takashi Iwai @ 2018-04-11 6:16 UTC (permalink / raw) To: Ram Pai; +Cc: Andrew Morton, Bjorn Helgaas, Michael Henders, linux-kernel On Wed, 11 Apr 2018 02:37:44 +0200, Ram Pai wrote: > > On Tue, Apr 10, 2018 at 01:42:39PM -0700, Andrew Morton wrote: > > On Tue, 10 Apr 2018 06:54:11 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > > > On Tue, 10 Apr 2018 02:23:26 +0200, > > > Andrew Morton wrote: > > > > > > > > On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > > > > > > > We've got a bug report indicating a kernel panic at booting on an > > > > > x86-32 system, and it turned out to be the invalid resource assigned > > > > > after PCI resource reallocation. __find_resource() first aligns the > > > > > resource start address and resets the end address with start+size-1 > > > > > accordingly, then checks whether it's contained. Here the end address > > > > > may overflow the integer, although resource_contains() still returns > > > > > true because the function validates only start and end address. So > > > > > this ends up with returning an invalid resource (start > end). > > > > > > > > > > There was already an attempt to cover such a problem in the commit > > > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > > > > > this case is an overseen one. > > > > > > > > > > This patch adds the validity check in resource_contains() to see > > > > > whether the given resource has a valid range for avoiding the integer > > > > > overflow problem. > > > > > > > > > > ... > > > > > > > > > > --- a/include/linux/ioport.h > > > > > +++ b/include/linux/ioport.h > > > > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > > > > > return false; > > > > > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > > > > > return false; > > > > > + /* sanity check whether it's a valid resource range */ > > > > > + if (r2->end < r2->start) > > > > > + return false; > > > > > return r1->start <= r2->start && r1->end >= r2->end; > > > > > } > > > > > > > > This doesn't look like the correct place to handle this? Clearly .end > > > > < .start is an invalid state for a resource and we should never have > > > > constructed such a thing in the first place? So adding a check at the > > > > place where this resource was initially created seems to be the correct > > > > fix? > > > > > > Yes, that was also my first thought and actually the v1 patch was like > > > that. > > > > Yes, I do prefer. > > > > > The v2 one was by Ram's suggestion so that we can cover > > > potential bugs by all other callers as well. > > > > That could be done as a separate thing? > > the first approach will fix overflows in just that particular case. The > second approach will catch and error-out overflows anywhere. There is a > short-term down side to the second approach; it might cause a slew of > error reports but will eventually help clean up all bad behavior. For that purpose, maybe we should do in two folds: at first fix this specific issue in __find_resource(), then put the sanity check in resource_contains() in addition but with WARN_ON() so that we can catch more obviously. thanks, Takashi ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] resource: Fix integer overflow at reallocation 2018-04-11 6:16 ` Takashi Iwai @ 2018-04-11 14:08 ` Ram Pai 0 siblings, 0 replies; 7+ messages in thread From: Ram Pai @ 2018-04-11 14:08 UTC (permalink / raw) To: Takashi Iwai; +Cc: Andrew Morton, Bjorn Helgaas, Michael Henders, linux-kernel On Wed, Apr 11, 2018 at 08:16:33AM +0200, Takashi Iwai wrote: > On Wed, 11 Apr 2018 02:37:44 +0200, > Ram Pai wrote: > > > > On Tue, Apr 10, 2018 at 01:42:39PM -0700, Andrew Morton wrote: > > > On Tue, 10 Apr 2018 06:54:11 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > > > > > On Tue, 10 Apr 2018 02:23:26 +0200, > > > > Andrew Morton wrote: > > > > > > > > > > On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote: > > > > > > > > > > > We've got a bug report indicating a kernel panic at booting on an > > > > > > x86-32 system, and it turned out to be the invalid resource assigned > > > > > > after PCI resource reallocation. __find_resource() first aligns the > > > > > > resource start address and resets the end address with start+size-1 > > > > > > accordingly, then checks whether it's contained. Here the end address > > > > > > may overflow the integer, although resource_contains() still returns > > > > > > true because the function validates only start and end address. So > > > > > > this ends up with returning an invalid resource (start > end). > > > > > > > > > > > > There was already an attempt to cover such a problem in the commit > > > > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > > > > > > this case is an overseen one. > > > > > > > > > > > > This patch adds the validity check in resource_contains() to see > > > > > > whether the given resource has a valid range for avoiding the integer > > > > > > overflow problem. > > > > > > > > > > > > ... > > > > > > > > > > > > --- a/include/linux/ioport.h > > > > > > +++ b/include/linux/ioport.h > > > > > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2) > > > > > > return false; > > > > > > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > > > > > > return false; > > > > > > + /* sanity check whether it's a valid resource range */ > > > > > > + if (r2->end < r2->start) > > > > > > + return false; > > > > > > return r1->start <= r2->start && r1->end >= r2->end; > > > > > > } > > > > > > > > > > This doesn't look like the correct place to handle this? Clearly .end > > > > > < .start is an invalid state for a resource and we should never have > > > > > constructed such a thing in the first place? So adding a check at the > > > > > place where this resource was initially created seems to be the correct > > > > > fix? > > > > > > > > Yes, that was also my first thought and actually the v1 patch was like > > > > that. > > > > > > Yes, I do prefer. > > > > > > > The v2 one was by Ram's suggestion so that we can cover > > > > potential bugs by all other callers as well. > > > > > > That could be done as a separate thing? > > > > the first approach will fix overflows in just that particular case. The > > second approach will catch and error-out overflows anywhere. There is a > > short-term down side to the second approach; it might cause a slew of > > error reports but will eventually help clean up all bad behavior. > > For that purpose, maybe we should do in two folds: at first fix this > specific issue in __find_resource(), then put the sanity check in > resource_contains() in addition but with WARN_ON() so that we can > catch more obviously. Yes WARN_ON() is a better solution. do the v1 way for this bug and replace the check in resource_contains() to a WARN_ON() in a separate patch? RP ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-04-11 14:09 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-04-08 7:20 [PATCH v2] resource: Fix integer overflow at reallocation Takashi Iwai 2018-04-10 0:23 ` Andrew Morton 2018-04-10 4:54 ` Takashi Iwai 2018-04-10 20:42 ` Andrew Morton 2018-04-11 0:37 ` Ram Pai 2018-04-11 6:16 ` Takashi Iwai 2018-04-11 14:08 ` Ram Pai
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.