Bug 123211

Summary: integer truncation in pnp_add_dma_resource
Product: Drivers Reporter: Thore Bödecker (me)
Component: PNPAssignee: Adam Belay (ambx1)
Status: NEW ---    
Severity: normal CC: alan, me, pageexec
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.6.3 Subsystem:
Regression: No Bisected commit-id:
Attachments: grsec kernel trace
fix from the PaX Team

Description Thore Bödecker 2016-07-12 11:08:04 UTC
Created attachment 222971 [details]
grsec kernel trace

Running a grsec hardened kernel on my router box revealed an issue in the PNP subsystem which leads to an integer truncation.

I stumbled upon this because grsec PAX was greeting me with following message on boot:

PAX: size overflow detected in function pnp_assign_resources drivers/pnp/manager.c:230


I have attached a full trace as pnp_trace.txt, gathered using a serial console.

For this issue I opened a support thread on the grsecurity forums:
https://forums.grsecurity.net/viewtopic.php?f=3&t=4511

The PaX Team responded very quickly with a patch for this issue, that successfully fixed the problem on my router box.
Thanks again to the PaX Team for that.


This is the patch from the PaX Team:

--- a/drivers/pnp/base.h 2015-06-22 11:14:33.380675235 +0200
+++ b/drivers/pnp/base.h  2016-07-12 10:17:03.951990733 +0200
@@ -163,7 +163,7 @@ struct pnp_resource *pnp_add_resource(st
                                      struct resource *res);
 struct pnp_resource *pnp_add_irq_resource(struct pnp_dev *dev, int irq,
                                          int flags);
-struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, int dma,
+struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, resource_size_t dma,
                                          int flags);
 struct pnp_resource *pnp_add_io_resource(struct pnp_dev *dev,
                                         resource_size_t start,
--- a/drivers/pnp/resource.c     2015-04-13 11:21:28.578616034 +0200
+++ b/drivers/pnp/resource.c      2016-07-12 10:23:08.274441934 +0200
@@ -543,7 +543,7 @@ struct pnp_resource *pnp_add_irq_resourc
        return pnp_res;
 }

-struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, int dma,
+struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, resource_size_t dma,
                                          int flags)
 {
        struct pnp_resource *pnp_res;
@@ -551,7 +551,7 @@ struct pnp_resource *pnp_add_dma_resourc

        pnp_res = pnp_new_resource(dev);
        if (!pnp_res) {
-               dev_err(&dev->dev, "can't add resource for DMA %d\n", dma);
+               dev_err(&dev->dev, "can't add resource for DMA %lld\n", dma);
                return NULL;
        }




If I'm not mistaken this bug is still present in git ^HEAD.


Specs of my affected system:
CPU: Intel Core i3-4130
RAM: 8GB ECC
Board: MSI CSM-C222-089
SSD: Crucial MX100 256GB
OS: Archlinux 64-bit


Best Regards,
Thore Bödecker
Comment 1 Thore Bödecker 2016-07-12 11:08:50 UTC
Created attachment 222981 [details]
fix from the PaX Team
Comment 2 Alan 2016-08-14 15:56:04 UTC
PnP DMA channels can never be that large a value.