Linux-EDAC Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] x86/mce/dev-mcelog: Fix potential memory access error
@ 2021-03-29  9:49 Yang Li
  2021-03-29 16:12 ` Luck, Tony
  0 siblings, 1 reply; 2+ messages in thread
From: Yang Li @ 2021-03-29  9:49 UTC (permalink / raw)
  To: tony.luck; +Cc: bp, tglx, mingo, x86, hpa, linux-edac, linux-kernel, Yang Li

Using set_bit() to set a bit in an integer is not a good idea, since
the function expects an unsigned long as argument, which can be 64bit
wide.
Coverity reports this problem as

High:Out-of-bounds access(INCOMPATIBLE_CAST)
CWE119: Out-of-bounds access to a scalar
Pointer "&mcelog->flags" points to an object whose effective type is
"unsigned int" (32 bits, unsigned) but is dereferenced as a wider
"unsigned long" (64 bits, unsigned). This may lead to memory corruption.

/home/heyuan.shy/git-repo/linux/arch/x86/kernel/cpu/mce/dev-mcelog.c:
dev_mce_log

Just use BIT instead.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
---
 arch/x86/kernel/cpu/mce/dev-mcelog.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/mce/dev-mcelog.c b/arch/x86/kernel/cpu/mce/dev-mcelog.c
index 100fbee..fd7b1b4 100644
--- a/arch/x86/kernel/cpu/mce/dev-mcelog.c
+++ b/arch/x86/kernel/cpu/mce/dev-mcelog.c
@@ -51,7 +51,7 @@ static int dev_mce_log(struct notifier_block *nb, unsigned long val,
 	 * earlier errors are the more interesting ones:
 	 */
 	if (entry >= mcelog->len) {
-		set_bit(MCE_OVERFLOW, (unsigned long *)&mcelog->flags);
+		mcelog->flags |= BIT(MCE_OVERFLOW);
 		goto unlock;
 	}
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: [PATCH] x86/mce/dev-mcelog: Fix potential memory access error
  2021-03-29  9:49 [PATCH] x86/mce/dev-mcelog: Fix potential memory access error Yang Li
@ 2021-03-29 16:12 ` Luck, Tony
  0 siblings, 0 replies; 2+ messages in thread
From: Luck, Tony @ 2021-03-29 16:12 UTC (permalink / raw)
  To: Yang Li; +Cc: bp, tglx, mingo, x86, hpa, linux-edac, linux-kernel

-		set_bit(MCE_OVERFLOW, (unsigned long *)&mcelog->flags);
+		mcelog->flags |= BIT(MCE_OVERFLOW);

set_bit() is an atomic operation because it might race with the code to
get and clear this bit:

                do {
                        flags = mcelog->flags;
                } while (cmpxchg(&mcelog->flags, flags, 0) != flags);

Originally this was needed because mcelog could be called from #MC
context.

That's all changed now and the machine check notifier chain routines are
called in a kernel thread. So some other locking (mutex?) could be used
to protect access to mcelog->flags.

-Tony


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-29  9:49 [PATCH] x86/mce/dev-mcelog: Fix potential memory access error Yang Li
2021-03-29 16:12 ` Luck, Tony

Linux-EDAC Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-edac/0 linux-edac/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-edac linux-edac/ https://lore.kernel.org/linux-edac \
		linux-edac@vger.kernel.org
	public-inbox-index linux-edac

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-edac


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git