All of lore.kernel.org
 help / color / mirror / Atom feed
From: Takashi Iwai <tiwai@suse.de>
To: Ram Pai <linuxram@us.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	Michael Henders <hendersm@shaw.ca>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] resource: Fix integer overflow at reallocation
Date: Wed, 11 Apr 2018 08:16:33 +0200	[thread overview]
Message-ID: <s5hefjmb73y.wl-tiwai@suse.de> (raw)
In-Reply-To: <20180411003744.GC15890@ram.oc3035372033.ibm.com>

On Wed, 11 Apr 2018 02:37:44 +0200,
Ram Pai wrote:
> 
> On Tue, Apr 10, 2018 at 01:42:39PM -0700, Andrew Morton wrote:
> > On Tue, 10 Apr 2018 06:54:11 +0200 Takashi Iwai <tiwai@suse.de> wrote:
> > 
> > > On Tue, 10 Apr 2018 02:23:26 +0200,
> > > Andrew Morton wrote:
> > > > 
> > > > On Sun,  8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote:
> > > > 
> > > > > We've got a bug report indicating a kernel panic at booting on an
> > > > > x86-32 system, and it turned out to be the invalid resource assigned
> > > > > after PCI resource reallocation.  __find_resource() first aligns the
> > > > > resource start address and resets the end address with start+size-1
> > > > > accordingly, then checks whether it's contained.  Here the end address
> > > > > may overflow the integer, although resource_contains() still returns
> > > > > true because the function validates only start and end address.  So
> > > > > this ends up with returning an invalid resource (start > end).
> > > > > 
> > > > > There was already an attempt to cover such a problem in the commit
> > > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but
> > > > > this case is an overseen one.
> > > > > 
> > > > > This patch adds the validity check in resource_contains() to see
> > > > > whether the given resource has a valid range for avoiding the integer
> > > > > overflow problem.
> > > > > 
> > > > > ...
> > > > >
> > > > > --- a/include/linux/ioport.h
> > > > > +++ b/include/linux/ioport.h
> > > > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2)
> > > > >  		return false;
> > > > >  	if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET)
> > > > >  		return false;
> > > > > +	/* sanity check whether it's a valid resource range */
> > > > > +	if (r2->end < r2->start)
> > > > > +		return false;
> > > > >  	return r1->start <= r2->start && r1->end >= r2->end;
> > > > >  }
> > > > 
> > > > This doesn't look like the correct place to handle this?  Clearly .end
> > > > < .start is an invalid state for a resource and we should never have
> > > > constructed such a thing in the first place?  So adding a check at the
> > > > place where this resource was initially created seems to be the correct
> > > > fix?
> > > 
> > > Yes, that was also my first thought and actually the v1 patch was like
> > > that.
> > 
> > Yes, I do prefer.
> > 
> > >  The v2 one was by Ram's suggestion so that we can cover
> > > potential bugs by all other callers as well.
> > 
> > That could be done as a separate thing?
> 
> the first approach will fix overflows in just that particular case. The
> second approach will catch and error-out overflows anywhere. There is a
> short-term down side to the second approach; it might cause a slew of
> error reports but will eventually help clean up all bad behavior.

For that purpose, maybe we should do in two folds: at first fix this
specific issue in __find_resource(), then put the sanity check in
resource_contains() in addition but with WARN_ON() so that we can
catch more obviously.


thanks,

Takashi

  reply	other threads:[~2018-04-11  6:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-08  7:20 [PATCH v2] resource: Fix integer overflow at reallocation Takashi Iwai
2018-04-10  0:23 ` Andrew Morton
2018-04-10  4:54   ` Takashi Iwai
2018-04-10 20:42     ` Andrew Morton
2018-04-11  0:37       ` Ram Pai
2018-04-11  6:16         ` Takashi Iwai [this message]
2018-04-11 14:08           ` Ram Pai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=s5hefjmb73y.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=bhelgaas@google.com \
    --cc=hendersm@shaw.ca \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxram@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.