Bug in vme subsystem (vme.c)
Dan Carpenter
dan.carpenter at oracle.com
Sat Feb 23 19:39:34 UTC 2013
Thank you for your bug report.
I've added Martyn and Manohar to the CC list.
On Sat, Feb 23, 2013 at 06:53:18PM +0100, ternaryd wrote:
> Hi,
>
> In vme.c, function vme_master_set(), vme_check_window() is called,
> where invalid restrictions are applied. In case of address space
> VME_A16, vme_base + size must not exceed VME_A16_MAX, which is defined
> in include/linux/vme.h to 0x10000ULL. The second test is never
> evaluated.
>
I looked at the assembly and I think the second test is evaluated.
It looks like it's testing for integer overflow, but not correctly.
A large value of size (which comes directly from the user in
vme_user_ioctl()) could make vme_base + size wrap to a low number.
It should be:
if (size > VME_A16_MAX || vme_base > VME_A16_MAX ||
size + vme_base > VME_A16_MAX)
retval = -EFAULT;
That way it can't overflow. Presumably only root can call
vme_master_set() so this isn't a security bug.
> As slave windows must not overlap, this means that there can not be
> more than one window in this address space on any VME bus member,
> because the only valid base address would be 0x0. The correct test
> should be the maximum value of a 64-bit unsigned integer plus 1, minus
> 0xffff; and if checking is already done, maybe some alignment test
> could help. Other than this, the call to vme_check_window() could also
> be eliminated.
I'm not sure how vme works so hopefully someone else can comment on
this.
regards,
dan carpenter
More information about the devel
mailing list