[PATCH 2/2] arm64: fixmap: check idx is definitely valid

[Laura Abbott]

On 3/4/2015 5:27 AM, Mark Rutland wrote:
> Fixmap indices are in the interval (FIX_HOLE, __end_of_fixed_addresses),
> but in __set_fixmap we only check idx <= __end_of_fixed_addresses, and
> therefore indices <= FIX_HOLE are erroneously accepted. If called with
> such an idx, __set_fixmap may corrupt page tables outside of the fixmap
> region.
>
> This patch ensures that we validate the idx against both endpoints of
> the interval.
>
> Signed-off-by: Mark Rutland <mark.rutland at arm.com>
> Cc: Ard Biesheuvel <ard.biesheuvel at linaro.org>
> Cc: Catalin Marinas <catalin.marinas at arm.com>
> Cc: Kees Cook <keescook at chromium.org>
> Cc: Laura Abbott <lauraa at codeaurora.org>
> Cc: Will Deacon <will.deacon at arm.com>

Acked-by: Laura Abbott <lauraa at codeaurora.org>

> ---
>   arch/arm64/mm/mmu.c | 5 +----
>   1 file changed, 1 insertion(+), 4 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index c6daaf6..c9267ac 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -627,10 +627,7 @@ void __set_fixmap(enum fixed_addresses idx,
>   	unsigned long addr = __fix_to_virt(idx);
>   	pte_t *pte;
>
> -	if (idx >= __end_of_fixed_addresses) {
> -		BUG();
> -		return;
> -	}
> +	BUG_ON(idx <= FIX_HOLE || idx >= __end_of_fixed_addresses);
>
>   	pte = fixmap_pte(addr);
>
>


-- 
Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
This e-mail address will be inactive after March 20, 2015
Please contact privately for follow up after that date.