* [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources()
@ 2021-03-12 15:46 Geert Uytterhoeven
2021-03-15 18:12 ` Atish Patra
2021-03-17 4:53 ` Palmer Dabbelt
0 siblings, 2 replies; 3+ messages in thread
From: Geert Uytterhoeven @ 2021-03-12 15:46 UTC (permalink / raw)
To: Paul Walmsley, Palmer Dabbelt, Albert Ou, Atish Patra
Cc: linux-riscv, linux-kernel, Geert Uytterhoeven
init_resources() allocates an array of resources, based on the current
total number of memory regions and reserved memory regions. However,
allocating this array using memblock_alloc() might increase the number
of reserved memory regions. If that happens, populating the array later
based on the new number of regions will cause out-of-bounds writes
beyond the end of the allocated array.
Fix this by allocating one more entry, which may or may not be used.
Fixes: 797f0375dd2ef5cd ("RISC-V: Do not allocate memblock while iterating reserved memblocks")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
---
Tested on vexriscv, which works now using L1_CACHE_SHIFT = 6, too.
This issue may show up during early boot as:
Unable to handle kernel paging request at virtual address c8000008
Oops [#1]
CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0-orangecrab-00023-g7c4fc8e3e982-dirty #137
epc: c04d6660 ra : c04d6560 sp : c05ddf70
gp : c0678bc0 tp : c05e5b40 t0 : c8000000
t1 : 00030000 t2 : ffffffff s0 : c05ddfc0
s1 : c8000000 a0 : 00000000 a1 : c7ffffe0
a2 : 00000005 a3 : 00000001 a4 : 0000000c
a5 : 00000000 a6 : c04fe000 a7 : 0000000c
s2 : c04fe098 s3 : 000000a0 s4 : c7ffff60
s5 : c04fe0dc s6 : 80000200 s7 : c059f1d4
s8 : 81000200 s9 : c059f1f0 s10: 80000200
s11: c059f1d4 t3 : 405dbb60 t4 : c05e6f08
t5 : 81000200 t6 : 40501000
status: 00000100 badaddr: c8000008 cause: 0000000f
random: get_random_bytes called from print_oops_end_marker+0x38/0x7c with crng_init=0
---[ end trace 0000000000000000 ]---
or much later as:
Unable to handle kernel paging request at virtual address 69726573
---
arch/riscv/kernel/setup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
index e85bacff1b5075ee..f8f15332caa20263 100644
--- a/arch/riscv/kernel/setup.c
+++ b/arch/riscv/kernel/setup.c
@@ -147,7 +147,8 @@ static void __init init_resources(void)
bss_res.end = __pa_symbol(__bss_stop) - 1;
bss_res.flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY;
- mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt) * sizeof(*mem_res);
+ /* + 1 as memblock_alloc() might increase memblock.reserved.cnt */
+ mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt + 1) * sizeof(*mem_res);
mem_res = memblock_alloc(mem_res_sz, SMP_CACHE_BYTES);
if (!mem_res)
panic("%s: Failed to allocate %zu bytes\n", __func__, mem_res_sz);
--
2.25.1
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources()
2021-03-12 15:46 [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources() Geert Uytterhoeven
@ 2021-03-15 18:12 ` Atish Patra
2021-03-17 4:53 ` Palmer Dabbelt
1 sibling, 0 replies; 3+ messages in thread
From: Atish Patra @ 2021-03-15 18:12 UTC (permalink / raw)
To: Geert Uytterhoeven
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, Atish Patra,
linux-riscv, linux-kernel@vger.kernel.org List
On Fri, Mar 12, 2021 at 7:46 AM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
>
> init_resources() allocates an array of resources, based on the current
> total number of memory regions and reserved memory regions. However,
> allocating this array using memblock_alloc() might increase the number
> of reserved memory regions. If that happens, populating the array later
> based on the new number of regions will cause out-of-bounds writes
> beyond the end of the allocated array.
>
> Fix this by allocating one more entry, which may or may not be used.
>
> Fixes: 797f0375dd2ef5cd ("RISC-V: Do not allocate memblock while iterating reserved memblocks")
> Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
> ---
> Tested on vexriscv, which works now using L1_CACHE_SHIFT = 6, too.
>
> This issue may show up during early boot as:
>
> Unable to handle kernel paging request at virtual address c8000008
> Oops [#1]
> CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0-orangecrab-00023-g7c4fc8e3e982-dirty #137
> epc: c04d6660 ra : c04d6560 sp : c05ddf70
> gp : c0678bc0 tp : c05e5b40 t0 : c8000000
> t1 : 00030000 t2 : ffffffff s0 : c05ddfc0
> s1 : c8000000 a0 : 00000000 a1 : c7ffffe0
> a2 : 00000005 a3 : 00000001 a4 : 0000000c
> a5 : 00000000 a6 : c04fe000 a7 : 0000000c
> s2 : c04fe098 s3 : 000000a0 s4 : c7ffff60
> s5 : c04fe0dc s6 : 80000200 s7 : c059f1d4
> s8 : 81000200 s9 : c059f1f0 s10: 80000200
> s11: c059f1d4 t3 : 405dbb60 t4 : c05e6f08
> t5 : 81000200 t6 : 40501000
> status: 00000100 badaddr: c8000008 cause: 0000000f
> random: get_random_bytes called from print_oops_end_marker+0x38/0x7c with crng_init=0
> ---[ end trace 0000000000000000 ]---
>
> or much later as:
>
> Unable to handle kernel paging request at virtual address 69726573
> ---
> arch/riscv/kernel/setup.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
> index e85bacff1b5075ee..f8f15332caa20263 100644
> --- a/arch/riscv/kernel/setup.c
> +++ b/arch/riscv/kernel/setup.c
> @@ -147,7 +147,8 @@ static void __init init_resources(void)
> bss_res.end = __pa_symbol(__bss_stop) - 1;
> bss_res.flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY;
>
> - mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt) * sizeof(*mem_res);
> + /* + 1 as memblock_alloc() might increase memblock.reserved.cnt */
> + mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt + 1) * sizeof(*mem_res);
> mem_res = memblock_alloc(mem_res_sz, SMP_CACHE_BYTES);
> if (!mem_res)
> panic("%s: Failed to allocate %zu bytes\n", __func__, mem_res_sz);
> --
> 2.25.1
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
Thanks for catching the bug & fixing it.
Reviewed-by: Atish Patra <atish.patra@wdc.com>
--
Regards,
Atish
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources()
2021-03-12 15:46 [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources() Geert Uytterhoeven
2021-03-15 18:12 ` Atish Patra
@ 2021-03-17 4:53 ` Palmer Dabbelt
1 sibling, 0 replies; 3+ messages in thread
From: Palmer Dabbelt @ 2021-03-17 4:53 UTC (permalink / raw)
To: geert; +Cc: Paul Walmsley, aou, Atish Patra, linux-riscv, linux-kernel, geert
On Fri, 12 Mar 2021 07:46:34 PST (-0800), geert@linux-m68k.org wrote:
> init_resources() allocates an array of resources, based on the current
> total number of memory regions and reserved memory regions. However,
> allocating this array using memblock_alloc() might increase the number
> of reserved memory regions. If that happens, populating the array later
> based on the new number of regions will cause out-of-bounds writes
> beyond the end of the allocated array.
>
> Fix this by allocating one more entry, which may or may not be used.
>
> Fixes: 797f0375dd2ef5cd ("RISC-V: Do not allocate memblock while iterating reserved memblocks")
> Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
> ---
> Tested on vexriscv, which works now using L1_CACHE_SHIFT = 6, too.
>
> This issue may show up during early boot as:
>
> Unable to handle kernel paging request at virtual address c8000008
> Oops [#1]
> CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0-orangecrab-00023-g7c4fc8e3e982-dirty #137
> epc: c04d6660 ra : c04d6560 sp : c05ddf70
> gp : c0678bc0 tp : c05e5b40 t0 : c8000000
> t1 : 00030000 t2 : ffffffff s0 : c05ddfc0
> s1 : c8000000 a0 : 00000000 a1 : c7ffffe0
> a2 : 00000005 a3 : 00000001 a4 : 0000000c
> a5 : 00000000 a6 : c04fe000 a7 : 0000000c
> s2 : c04fe098 s3 : 000000a0 s4 : c7ffff60
> s5 : c04fe0dc s6 : 80000200 s7 : c059f1d4
> s8 : 81000200 s9 : c059f1f0 s10: 80000200
> s11: c059f1d4 t3 : 405dbb60 t4 : c05e6f08
> t5 : 81000200 t6 : 40501000
> status: 00000100 badaddr: c8000008 cause: 0000000f
> random: get_random_bytes called from print_oops_end_marker+0x38/0x7c with crng_init=0
> ---[ end trace 0000000000000000 ]---
>
> or much later as:
>
> Unable to handle kernel paging request at virtual address 69726573
> ---
> arch/riscv/kernel/setup.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
> index e85bacff1b5075ee..f8f15332caa20263 100644
> --- a/arch/riscv/kernel/setup.c
> +++ b/arch/riscv/kernel/setup.c
> @@ -147,7 +147,8 @@ static void __init init_resources(void)
> bss_res.end = __pa_symbol(__bss_stop) - 1;
> bss_res.flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY;
>
> - mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt) * sizeof(*mem_res);
> + /* + 1 as memblock_alloc() might increase memblock.reserved.cnt */
> + mem_res_sz = (memblock.memory.cnt + memblock.reserved.cnt + 1) * sizeof(*mem_res);
> mem_res = memblock_alloc(mem_res_sz, SMP_CACHE_BYTES);
> if (!mem_res)
> panic("%s: Failed to allocate %zu bytes\n", __func__, mem_res_sz);
Thanks, this is on fixes.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-17 4:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-12 15:46 [PATCH] RISC-V: Fix out-of-bounds accesses in init_resources() Geert Uytterhoeven
2021-03-15 18:12 ` Atish Patra
2021-03-17 4:53 ` Palmer Dabbelt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).