• Reinette Chatre's avatar
    x86/intel_rdt: Fix out-of-bounds memory access in CBM tests · 49e00eee
    Reinette Chatre authored
    While the DOC at the beginning of lib/bitmap.c explicitly states that
    "The number of valid bits in a given bitmap does _not_ need to be an
    exact multiple of BITS_PER_LONG.", some of the bitmap operations do
    indeed access BITS_PER_LONG portions of the provided bitmap no matter
    the size of the provided bitmap. For example, if bitmap_intersects()
    is provided with an 8 bit bitmap the operation will access
    BITS_PER_LONG bits from the provided bitmap. While the operation
    ensures that these extra bits do not affect the result, the memory
    is still accessed.
    
    The capacity bitmasks (CBMs) are typically stored in u32 since they
    can never exceed 32 bits. A few instances exist where a bitmap_*
    operation is performed on a CBM by simply pointing the bitmap operation
    to the stored u32 value.
    
    The consequence of this pattern is that some bitmap_* operations will
    access out-of-bounds memory when interacting with the provided CBM. This
    is confirmed with a KASAN test that reports:
    
     BUG: KASAN: stack-out-of-bounds in __bitmap_intersects+0xa2/0x100
    
    and
    
     BUG: KASAN: stack-out-of-bounds in __bitmap_weight+0x58/0x90
    
    Fix this by moving any CBM provided to a bitmap operation needing
    BITS_PER_LONG to an 'unsigned long' variable.
    
    [ tglx: Changed related function arguments to unsigned long and got rid
    	of the _cbm extra step ]
    
    Fixes: 72d50505 ("x86/intel_rdt: Add utilities to test pseudo-locked region possibility")
    Fixes: 49f7b4ef ("x86/intel_rdt: Enable setting of exclusive mode")
    Fixes: d9b48c86 ("x86/intel_rdt: Display resource groups' allocations' size in bytes")
    Fixes: 95f0b77e ("x86/intel_rdt: Initialize new resource group with sane defaults")
    Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: fenghua.yu@intel.com
    Cc: tony.luck@intel.com
    Cc: gavin.hindman@intel.com
    Cc: jithu.joseph@intel.com
    Cc: dave.hansen@intel.com
    Cc: hpa@zytor.com
    Link: https://lkml.kernel.org/r/69a428613a53f10e80594679ac726246020ff94f.1538686926.git.reinette.chatre@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    49e00eee
intel_rdt_pseudo_lock.c 42.7 KB