Bug 123211 - integer truncation in pnp_add_dma_resource
Summary: integer truncation in pnp_add_dma_resource
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: PNP (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Adam Belay
Depends on:
Reported: 2016-07-12 11:08 UTC by Thore Bödecker
Modified: 2016-08-14 15:56 UTC (History)
3 users (show)

See Also:
Kernel Version: 4.6.3
Regression: No
Bisected commit-id:

grsec kernel trace (3.29 KB, text/plain)
2016-07-12 11:08 UTC, Thore Bödecker
fix from the PaX Team (1.48 KB, patch)
2016-07-12 11:08 UTC, Thore Bödecker
Details | Diff

Description Thore Bödecker 2016-07-12 11:08:04 UTC
Created attachment 222971 [details]
grsec kernel trace

Running a grsec hardened kernel on my router box revealed an issue in the PNP subsystem which leads to an integer truncation.

I stumbled upon this because grsec PAX was greeting me with following message on boot:

PAX: size overflow detected in function pnp_assign_resources drivers/pnp/manager.c:230

I have attached a full trace as pnp_trace.txt, gathered using a serial console.

For this issue I opened a support thread on the grsecurity forums:

The PaX Team responded very quickly with a patch for this issue, that successfully fixed the problem on my router box.
Thanks again to the PaX Team for that.

This is the patch from the PaX Team:

--- a/drivers/pnp/base.h 2015-06-22 11:14:33.380675235 +0200
+++ b/drivers/pnp/base.h  2016-07-12 10:17:03.951990733 +0200
@@ -163,7 +163,7 @@ struct pnp_resource *pnp_add_resource(st
                                      struct resource *res);
 struct pnp_resource *pnp_add_irq_resource(struct pnp_dev *dev, int irq,
                                          int flags);
-struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, int dma,
+struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, resource_size_t dma,
                                          int flags);
 struct pnp_resource *pnp_add_io_resource(struct pnp_dev *dev,
                                         resource_size_t start,
--- a/drivers/pnp/resource.c     2015-04-13 11:21:28.578616034 +0200
+++ b/drivers/pnp/resource.c      2016-07-12 10:23:08.274441934 +0200
@@ -543,7 +543,7 @@ struct pnp_resource *pnp_add_irq_resourc
        return pnp_res;

-struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, int dma,
+struct pnp_resource *pnp_add_dma_resource(struct pnp_dev *dev, resource_size_t dma,
                                          int flags)
        struct pnp_resource *pnp_res;
@@ -551,7 +551,7 @@ struct pnp_resource *pnp_add_dma_resourc

        pnp_res = pnp_new_resource(dev);
        if (!pnp_res) {
-               dev_err(&dev->dev, "can't add resource for DMA %d\n", dma);
+               dev_err(&dev->dev, "can't add resource for DMA %lld\n", dma);
                return NULL;

If I'm not mistaken this bug is still present in git ^HEAD.

Specs of my affected system:
CPU: Intel Core i3-4130
Board: MSI CSM-C222-089
SSD: Crucial MX100 256GB
OS: Archlinux 64-bit

Best Regards,
Thore Bödecker
Comment 1 Thore Bödecker 2016-07-12 11:08:50 UTC
Created attachment 222981 [details]
fix from the PaX Team
Comment 2 Alan 2016-08-14 15:56:04 UTC
PnP DMA channels can never be that large a value.

Note You need to log in before you can comment on or make changes to this bug.