| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- From 23aa91651cbaf32f10ff75f02c281493ee677dcb Mon Sep 17 00:00:00 2001
- From: Thomas Gleixner <[email protected]>
- Date: Sat, 23 Dec 2017 19:45:11 +0100
- Subject: [PATCH 186/231] x86/cpu_entry_area: Prevent wraparound in
- setup_cpu_entry_area_ptes() on 32bit
- MIME-Version: 1.0
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: 8bit
- CVE-2017-5754
- The loop which populates the CPU entry area PMDs can wrap around on 32bit
- machines when the number of CPUs is small.
- It worked wonderful for NR_CPUS=64 for whatever reason and the moron who
- wrote that code did not bother to test it with !SMP.
- Check for the wraparound to fix it.
- Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap")
- Reported-by: kernel test robot <[email protected]>
- Signed-off-by: Thomas "Feels stupid" Gleixner <[email protected]>
- Tested-by: Borislav Petkov <[email protected]>
- (cherry picked from commit f6c4fd506cb626e4346aa81688f255e593a7c5a0)
- Signed-off-by: Andy Whitcroft <[email protected]>
- Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
- (cherry picked from commit 8a21158932b93ed7e72d16683085d55a3a06125e)
- Signed-off-by: Fabian Grünbichler <[email protected]>
- ---
- arch/x86/mm/cpu_entry_area.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
- diff --git a/arch/x86/mm/cpu_entry_area.c b/arch/x86/mm/cpu_entry_area.c
- index 21e8b595cbb1..fe814fd5e014 100644
- --- a/arch/x86/mm/cpu_entry_area.c
- +++ b/arch/x86/mm/cpu_entry_area.c
- @@ -122,7 +122,8 @@ static __init void setup_cpu_entry_area_ptes(void)
- start = CPU_ENTRY_AREA_BASE;
- end = start + CPU_ENTRY_AREA_MAP_SIZE;
-
- - for (; start < end; start += PMD_SIZE)
- + /* Careful here: start + PMD_SIZE might wrap around */
- + for (; start < end && start >= CPU_ENTRY_AREA_BASE; start += PMD_SIZE)
- populate_extra_pte(start);
- #endif
- }
- --
- 2.14.2
|
