[PATCH v2] powerpc/64: Fix memcmp reading past the end of src/dest
Segher Boessenkool
segher at kernel.crashing.org
Sat Feb 9 02:50:09 AEDT 2019
On Fri, Feb 08, 2019 at 05:12:21PM +1100, Michael Ellerman wrote:
> Segher Boessenkool <segher at kernel.crashing.org> writes:
> > On Thu, Feb 07, 2019 at 10:53:13PM +1100, Michael Ellerman wrote:
> >> Chandan reported that fstests' generic/026 test hit a crash:
> >
> >> The instruction dump decodes as:
> >> subfic r6,r5,8
> >> rlwinm r6,r6,3,0,28
> >> ldbrx r9,0,r3
> >> ldbrx r10,0,r4 <-
> >>
> >> Which shows us doing an 8 byte load from c00000062ac3fff9, which
> >> crosses the page boundary at c00000062ac40000 and faults.
> >>
> >> It's not OK for memcmp to read past the end of the source or
> >> destination buffers.
> >
> > It's not okay to access memory pages unsolicited. Reading past the end
> > is fine per se.
>
> Yeah I guess that's true.
>
> Things like KASAN/valgrind probably disagree, but KASAN at least
> overrides memcmp AIUI.
>
> I guess I feel better about it not reading past the end of the buffers,
> but maybe I'm being paranoid.
Sure, and that may be the best thing to do in the kernel. OTOH, newer GCC
will inline many mem* for powerpc, and it will access past the end of
strings and buffers (but not past 4kB boundaries).
> The other complication is we support multiple page sizes, so detecting a
> page boundary is more complicated than it could be.
Yeah.
> So I guess I'm inclined to stick with this approach, but I can update
> the change log.
Thanks! I mentioned it because this was the bug that was hit here: reading
past the end had no ill effect (as far as we know), but accessing the wrong
page did :-)
Segher
More information about the Linuxppc-dev
mailing list