Commit b63dbef9 authored by Mark Rutland's avatar Mark Rutland Committed by Will Deacon

arm64: fixmap: check idx is definitely valid

Fixmap indices are in the interval (FIX_HOLE, __end_of_fixed_addresses),
but in __set_fixmap we only check idx <= __end_of_fixed_addresses, and
therefore indices <= FIX_HOLE are erroneously accepted. If called with
such an idx, __set_fixmap may corrupt page tables outside of the fixmap
region.

This patch ensures that we validate the idx against both endpoints of
the interval.

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: default avatarLaura Abbott <lauraa@codeaurora.org>
Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
parent 19fc5775
...@@ -627,10 +627,7 @@ void __set_fixmap(enum fixed_addresses idx, ...@@ -627,10 +627,7 @@ void __set_fixmap(enum fixed_addresses idx,
unsigned long addr = __fix_to_virt(idx); unsigned long addr = __fix_to_virt(idx);
pte_t *pte; pte_t *pte;
if (idx >= __end_of_fixed_addresses) { BUG_ON(idx <= FIX_HOLE || idx >= __end_of_fixed_addresses);
BUG();
return;
}
pte = fixmap_pte(addr); pte = fixmap_pte(addr);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment