Bug in vme subsystem (vme.c)

Dan Carpenter dan.carpenter at oracle.com
Sat Feb 23 19:39:34 UTC 2013


Thank you for your bug report.

I've added Martyn and Manohar to the CC list.

On Sat, Feb 23, 2013 at 06:53:18PM +0100, ternaryd wrote:
> Hi,
> 
> In vme.c, function vme_master_set(), vme_check_window() is called,
> where invalid restrictions are applied. In case of address space
> VME_A16, vme_base + size must not exceed VME_A16_MAX, which is defined
> in include/linux/vme.h to 0x10000ULL. The second test is never
> evaluated.
> 

I looked at the assembly and I think the second test is evaluated.

It looks like it's testing for integer overflow, but not correctly.
A large value of size (which comes directly from the user in
vme_user_ioctl()) could make vme_base + size wrap to a low number.

It should be:

	if (size > VME_A16_MAX || vme_base > VME_A16_MAX ||
	    size + vme_base > VME_A16_MAX)
		retval = -EFAULT;

That way it can't overflow.  Presumably only root can call
vme_master_set() so this isn't a security bug.

> As slave windows must not overlap, this means that there can not be
> more than one window in this address space on any VME bus member,
> because the only valid base address would be 0x0. The correct test
> should be the maximum value of a 64-bit unsigned integer plus 1, minus
> 0xffff; and if checking is already done, maybe some alignment test
> could help. Other than this, the call to vme_check_window() could also
> be eliminated.

I'm not sure how vme works so hopefully someone else can comment on
this.

regards,
dan carpenter




More information about the devel mailing list