Message ID | 1443995369-11399-1-git-send-email-sasha.levin@oracle.com (mailing list archive) |
---|---|
State | New, archived |
Delegated to: | Bjorn Helgaas |
Headers | show |
Hi Sasha, On Sun, Oct 04, 2015 at 05:49:29PM -0400, Sasha Levin wrote: > Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that > the numa node provided by userspace is valid. Passing a node number too high > would attempt to access invalid memory and trigger a kernel panic. > > Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs") > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > --- > drivers/pci/pci-sysfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > index 312f23a..e9abca8 100644 > --- a/drivers/pci/pci-sysfs.c > +++ b/drivers/pci/pci-sysfs.c > @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev, > if (ret) > return ret; > > - if (!node_online(node)) > + if (node > MAX_NUMNODES || !node_online(node)) This needs to be "node >= MAX_NUMNODES", doesn't it? I'll fix it up if you agree. Looks like a candidate for stable. > return -EINVAL; > > add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); > -- > 1.7.10.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-pci" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 10/06/2015 03:36 PM, Bjorn Helgaas wrote: > Hi Sasha, > > On Sun, Oct 04, 2015 at 05:49:29PM -0400, Sasha Levin wrote: >> Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that >> the numa node provided by userspace is valid. Passing a node number too high >> would attempt to access invalid memory and trigger a kernel panic. >> >> Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs") >> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> >> --- >> drivers/pci/pci-sysfs.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c >> index 312f23a..e9abca8 100644 >> --- a/drivers/pci/pci-sysfs.c >> +++ b/drivers/pci/pci-sysfs.c >> @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev, >> if (ret) >> return ret; >> >> - if (!node_online(node)) >> + if (node > MAX_NUMNODES || !node_online(node)) > > This needs to be "node >= MAX_NUMNODES", doesn't it? I'll fix it up if > you agree. Not a strenuous objection, but I don't see much bound checking using MAX_NUMNODES in the kernel outside of the core numa area. Is fixing node_online() with bounds checking a better option here so that other callers get the fix? I would have thought that calling node_online() with node > MAX_NUMNODES should be safe to call. P. > > Looks like a candidate for stable. > >> return -EINVAL; >> >> add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); >> -- >> 1.7.10.4 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-pci" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe linux-pci" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 10/06/2015 04:02 PM, Prarit Bhargava wrote: > > > On 10/06/2015 03:36 PM, Bjorn Helgaas wrote: >> Hi Sasha, >> >> On Sun, Oct 04, 2015 at 05:49:29PM -0400, Sasha Levin wrote: >>> Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that >>> the numa node provided by userspace is valid. Passing a node number too high >>> would attempt to access invalid memory and trigger a kernel panic. >>> >>> Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs") >>> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> >>> --- >>> drivers/pci/pci-sysfs.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c >>> index 312f23a..e9abca8 100644 >>> --- a/drivers/pci/pci-sysfs.c >>> +++ b/drivers/pci/pci-sysfs.c >>> @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev, >>> if (ret) >>> return ret; >>> >>> - if (!node_online(node)) >>> + if (node > MAX_NUMNODES || !node_online(node)) >> >> This needs to be "node >= MAX_NUMNODES", doesn't it? I'll fix it up if >> you agree. Yup, you're right. > > Not a strenuous objection, but I don't see much bound checking using > MAX_NUMNODES in the kernel outside of the core numa area. Is fixing > node_online() with bounds checking a better option here so that other callers > get the fix? I would have thought that calling node_online() with node > > MAX_NUMNODES should be safe to call. I don't know, this will add overhead to node_online(), and isn't really done in any other similar function. For example, cpu_online() isn't safe to call with cpu > NR_CPUS either. Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Prarit, On Tue, Oct 06, 2015 at 04:02:22PM -0400, Prarit Bhargava wrote: > On 10/06/2015 03:36 PM, Bjorn Helgaas wrote: > > On Sun, Oct 04, 2015 at 05:49:29PM -0400, Sasha Levin wrote: > >> Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that > >> the numa node provided by userspace is valid. Passing a node number too high > >> would attempt to access invalid memory and trigger a kernel panic. > >> > >> Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs") > >> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> > >> --- > >> drivers/pci/pci-sysfs.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > >> index 312f23a..e9abca8 100644 > >> --- a/drivers/pci/pci-sysfs.c > >> +++ b/drivers/pci/pci-sysfs.c > >> @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev, > >> if (ret) > >> return ret; > >> > >> - if (!node_online(node)) > >> + if (node > MAX_NUMNODES || !node_online(node)) > > > > This needs to be "node >= MAX_NUMNODES", doesn't it? I'll fix it up if > > you agree. > > Not a strenuous objection, but I don't see much bound checking using > MAX_NUMNODES in the kernel outside of the core numa area. Is fixing > node_online() with bounds checking a better option here so that other callers > get the fix? I would have thought that calling node_online() with node > > MAX_NUMNODES should be safe to call. Yes, that would certainly be an option. I don't feel super strongly either way, but one argument in favor of Sasha's approach is that the validation of user input is nice and obvious right at the point where we process the input. Bjorn -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 312f23a..e9abca8 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev, if (ret) return ret; - if (!node_online(node)) + if (node > MAX_NUMNODES || !node_online(node)) return -EINVAL; add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that the numa node provided by userspace is valid. Passing a node number too high would attempt to access invalid memory and trigger a kernel panic. Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs") Signed-off-by: Sasha Levin <sasha.levin@oracle.com> --- drivers/pci/pci-sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)