[pve-kernel.git] / patches / kernel / 0186-x86-cpu_entry_area-Prevent-wraparound-in-setup_cpu_e.patch

From 23aa91651cbaf32f10ff75f02c281493ee677dcb Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Sat, 23 Dec 2017 19:45:11 +0100
Subject: [PATCH 186/233] x86/cpu_entry_area: Prevent wraparound in
 setup_cpu_entry_area_ptes() on 32bit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

The loop which populates the CPU entry area PMDs can wrap around on 32bit
machines when the number of CPUs is small.

It worked wonderful for NR_CPUS=64 for whatever reason and the moron who
wrote that code did not bother to test it with !SMP.

Check for the wraparound to fix it.

Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap")
Reported-by: kernel test robot <fengguang.wu@intel.com>
Signed-off-by: Thomas "Feels stupid" Gleixner <tglx@linutronix.de>
Tested-by: Borislav Petkov <bp@alien8.de>
(cherry picked from commit f6c4fd506cb626e4346aa81688f255e593a7c5a0)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 8a21158932b93ed7e72d16683085d55a3a06125e)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/mm/cpu_entry_area.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/mm/cpu_entry_area.c b/arch/x86/mm/cpu_entry_area.c
index 21e8b595cbb1..fe814fd5e014 100644
--- a/arch/x86/mm/cpu_entry_area.c
+++ b/arch/x86/mm/cpu_entry_area.c
@@ -122,7 +122,8 @@ static __init void setup_cpu_entry_area_ptes(void)
        start = CPU_ENTRY_AREA_BASE;
        end = start + CPU_ENTRY_AREA_MAP_SIZE;
 
-       for (; start < end; start += PMD_SIZE)
+       /* Careful here: start + PMD_SIZE might wrap around */
+       for (; start < end && start >= CPU_ENTRY_AREA_BASE; start += PMD_SIZE)
                populate_extra_pte(start);
 #endif
 }
-- 
2.14.2