From patchwork Wed Oct  7 16:04:58 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bjorn Helgaas <helgaas@kernel.org>
X-Patchwork-Id: 7346521
X-Patchwork-Delegate: bhelgaas@google.com
Return-Path: <linux-pci-owner@kernel.org>
X-Original-To: patchwork-linux-pci@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id F0815BEEA4
	for <patchwork-linux-pci@patchwork.kernel.org>;
	Wed,  7 Oct 2015 16:05:07 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 18B1E20635
	for <patchwork-linux-pci@patchwork.kernel.org>;
	Wed,  7 Oct 2015 16:05:07 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 409A920532
	for <patchwork-linux-pci@patchwork.kernel.org>;
	Wed,  7 Oct 2015 16:05:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754775AbbJGQFD (ORCPT
	<rfc822;patchwork-linux-pci@patchwork.kernel.org>);
	Wed, 7 Oct 2015 12:05:03 -0400
Received: from mail.kernel.org ([198.145.29.136]:40195 "EHLO mail.kernel.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754719AbbJGQFC (ORCPT <rfc822;linux-pci@vger.kernel.org>);
	Wed, 7 Oct 2015 12:05:02 -0400
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 2C06E20623;
	Wed,  7 Oct 2015 16:05:00 +0000 (UTC)
Received: from localhost (unknown [69.71.1.1])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 355FB20532;
	Wed,  7 Oct 2015 16:04:59 +0000 (UTC)
Date: Wed, 7 Oct 2015 11:04:58 -0500
From: Bjorn Helgaas <helgaas@kernel.org>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Prarit Bhargava <prarit@redhat.com>, bhelgaas@google.com,
	linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] PCI: prevent out of bounds access in numa_node override
Message-ID: <20151007160458.GA27633@localhost>
References: <1443995369-11399-1-git-send-email-sasha.levin@oracle.com>
	<20151006193627.GE29420@localhost> <561428CE.2040601@redhat.com>
	<56152725.10809@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <56152725.10809@oracle.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: linux-pci-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pci.vger.kernel.org>
X-Mailing-List: linux-pci@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Wed, Oct 07, 2015 at 10:07:33AM -0400, Sasha Levin wrote:
> > On 10/06/2015 03:36 PM, Bjorn Helgaas wrote:
> >> Hi Sasha,
> >>
> >> On Sun, Oct 04, 2015 at 05:49:29PM -0400, Sasha Levin wrote:
> >>> Commit 63692df1 ("PCI: Allow numa_node override via sysfs") didn't check that
> >>> the numa node provided by userspace is valid. Passing a node number too high
> >>> would attempt to access invalid memory and trigger a kernel panic.
> >>>
> >>> Fixes: 63692df1 ("PCI: Allow numa_node override via sysfs")
> >>> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> >>> ---
> >>>  drivers/pci/pci-sysfs.c |    2 +-
> >>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> >>> index 312f23a..e9abca8 100644
> >>> --- a/drivers/pci/pci-sysfs.c
> >>> +++ b/drivers/pci/pci-sysfs.c
> >>> @@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev,
> >>>  	if (ret)
> >>>  		return ret;
> >>>  
> >>> -	if (!node_online(node))
> >>> +	if (node > MAX_NUMNODES || !node_online(node))
> >>
> >> This needs to be "node >= MAX_NUMNODES", doesn't it?  I'll fix it up if
> >> you agree.
> 
> Yup, you're right.

OK, applied to for-linus for v4.3 as follows.  Thanks a lot, Sasha!


commit 0f7b9ad7477f7ce9b30e9ab0048f6e726f11a08a
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Sun Oct 4 17:49:29 2015 -0400

    PCI: Prevent out of bounds access in numa_node override
    
    63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that
    the numa node provided by userspace is valid.  Passing a node number too
    high would attempt to access invalid memory and trigger a kernel panic.
    
    Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    CC: stable@vger.kernel.org	# v3.19+
---
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 312f23a..9261868 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev,
 	if (ret)
 		return ret;
 
-	if (!node_online(node))
+	if (node >= MAX_NUMNODES || !node_online(node))
 		return -EINVAL;
 
 	add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);