2018-01-06 17:13:39 +03:00
|
|
|
From 23aa91651cbaf32f10ff75f02c281493ee677dcb Mon Sep 17 00:00:00 2001
|
|
|
|
From: Thomas Gleixner <tglx@linutronix.de>
|
|
|
|
Date: Sat, 23 Dec 2017 19:45:11 +0100
|
2018-01-07 15:17:59 +03:00
|
|
|
Subject: [PATCH 186/233] x86/cpu_entry_area: Prevent wraparound in
|
2018-01-06 17:13:39 +03:00
|
|
|
setup_cpu_entry_area_ptes() on 32bit
|
|
|
|
MIME-Version: 1.0
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
CVE-2017-5754
|
|
|
|
|
|
|
|
The loop which populates the CPU entry area PMDs can wrap around on 32bit
|
|
|
|
machines when the number of CPUs is small.
|
|
|
|
|
|
|
|
It worked wonderful for NR_CPUS=64 for whatever reason and the moron who
|
|
|
|
wrote that code did not bother to test it with !SMP.
|
|
|
|
|
|
|
|
Check for the wraparound to fix it.
|
|
|
|
|
|
|
|
Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap")
|
|
|
|
Reported-by: kernel test robot <fengguang.wu@intel.com>
|
|
|
|
Signed-off-by: Thomas "Feels stupid" Gleixner <tglx@linutronix.de>
|
|
|
|
Tested-by: Borislav Petkov <bp@alien8.de>
|
|
|
|
(cherry picked from commit f6c4fd506cb626e4346aa81688f255e593a7c5a0)
|
|
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
|
|
|
(cherry picked from commit 8a21158932b93ed7e72d16683085d55a3a06125e)
|
|
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
|
|
---
|
|
|
|
arch/x86/mm/cpu_entry_area.c | 3 ++-
|
|
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/arch/x86/mm/cpu_entry_area.c b/arch/x86/mm/cpu_entry_area.c
|
|
|
|
index 21e8b595cbb1..fe814fd5e014 100644
|
|
|
|
--- a/arch/x86/mm/cpu_entry_area.c
|
|
|
|
+++ b/arch/x86/mm/cpu_entry_area.c
|
|
|
|
@@ -122,7 +122,8 @@ static __init void setup_cpu_entry_area_ptes(void)
|
|
|
|
start = CPU_ENTRY_AREA_BASE;
|
|
|
|
end = start + CPU_ENTRY_AREA_MAP_SIZE;
|
|
|
|
|
|
|
|
- for (; start < end; start += PMD_SIZE)
|
|
|
|
+ /* Careful here: start + PMD_SIZE might wrap around */
|
|
|
|
+ for (; start < end && start >= CPU_ENTRY_AREA_BASE; start += PMD_SIZE)
|
|
|
|
populate_extra_pte(start);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
--
|
|
|
|
2.14.2
|
|
|
|
|