[PATCH] resource: Fix integer overflow at reallocation
From: Takashi Iwai
Date: Mon Apr 02 2018 - 03:16:34 EST
We've got a bug report indicating a kernel panic at booting on an
x86-32 system, and it turned out to be the invalid resource assigned
after reallocation. __find_resource() first aligns the resource start
address and resets the end address with start+size-1 accordingly, then
checks whether it's contained. Here the end address may overflow the
integer, although resource_contains() still returns true because the
function validates only start and end address. So this ends up with
returning an invalid resource (start > end).
There was already an attempt to cover such a problem in the commit
47ea91b4052d ("Resource: fix wrong resource window calculation"), but
this case is an overseen one.
This patch adds the validity check of the newly calculated resource
for avoiding the integer overflow problem.
Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739
Fixes: 23c570a67448 ("resource: ability to resize an allocated resource")
Reported-and-tested-by: Michael Henders <hendersm@xxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
Bjorn, I send this to you since the bug hits during PCI init, although
the culprit is in generic resource management.
kernel/resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index e270b5048988..2af6c03858b9 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -651,7 +651,8 @@ static int __find_resource(struct resource *root, struct resource *old,
alloc.start = constraint->alignf(constraint->alignf_data, &avail,
size, constraint->align);
alloc.end = alloc.start + size - 1;
- if (resource_contains(&avail, &alloc)) {
+ if (alloc.start <= alloc.end &&
+ resource_contains(&avail, &alloc)) {
new->start = alloc.start;
new->end = alloc.end;
return 0;
--
2.16.2