Re: CVE-2022-49623: powerpc/xive/spapr: correct bitmap allocation size

From: zhangjianhua (E)
Date: Thu Mar 06 2025 - 22:16:52 EST

Next message: H. Peter Anvin: "Re: [PATCH v3 00/16] Introduce and use generic parity16/32/64 helper"
Previous message: pr-tracker-bot: "Re: [git pull] drm fixes for 6.14-rc6"
In reply to: Greg KH: "Re: CVE-2022-49623: powerpc/xive/spapr: correct bitmap allocation size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, there is still some confusion about this bugfix patch. Hope Nathan and Michael can explain and give more details.

在 2025/3/6 21:58, Greg KH 写道:

On Thu, Mar 06, 2025 at 09:41:41PM +0800, zhangjianhua (E) wrote:

Hi Greg，

The commit message of this patch show that it occurs out-of-bounds of
xibm->bitmap，the reason is that the allocated object can be smaller than
sizeof(long) while bits is small.

However, it is incorrect. The kzalloc interface allocates memory in the
unit of byte while bitmap_zalloc does based on the number of bits after
rounded up, the space allocated by the kzalloc is not less than that
allocated by the bitmap_zalloc. Therefore, replacing the kzalloc with the
bitmap_zalloc does not solve the problem. In fact, the problem of
out-of-bounds access does not exist. For instance the xibm->count is
3，kzalloc and bitmap_zalloc both return 8 bytes，it's enough for all
bitmap. Although using the kzalloc wastes some memory, it does not create
any real problems.

Maybe this CVE should be rejected?

We will be glad to reject this if you think this does not actually fix
anything at all. If so, just let us know.

thanks,

greg k-h

Next message: H. Peter Anvin: "Re: [PATCH v3 00/16] Introduce and use generic parity16/32/64 helper"
Previous message: pr-tracker-bot: "Re: [git pull] drm fixes for 6.14-rc6"
In reply to: Greg KH: "Re: CVE-2022-49623: powerpc/xive/spapr: correct bitmap allocation size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]