arm64: fixmap: check idx is definitely valid

Fixmap indices are in the interval (FIX_HOLE, __end_of_fixed_addresses), but in __set_fixmap we only check idx <= __end_of_fixed_addresses, and therefore indices <= FIX_HOLE are erroneously accepted. If called with such an idx, __set_fixmap may corrupt page tables outside of the fixmap region. This patch ensures that we validate the idx against both endpoints of the interval. Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Kees Cook <keescook@chromium.org> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Laura Abbott <lauraa@codeaurora.org> Signed-off-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Will Deacon <will.deacon@arm.com>
author: Mark Rutland <mark.rutland@arm.com> 2015-03-04 13:27:35 +0000
committer: Will Deacon <will.deacon@arm.com> 2015-03-19 10:43:57 +0000
commit: b63dbef93f91d56cb4385fdd8d1765201d451136 (patch)
tree: f984f35a54b63029f2e8e5598a46adff3a726010
parent: 19fc577579c86fec6e2523baeb457b02e939796f (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index c6daaf6c6f97..c9267acb699c 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -627,10 +627,7 @@ void __set_fixmap(enum fixed_addresses idx,
 	unsigned long addr = __fix_to_virt(idx);
 	pte_t *pte;
 
-	if (idx >= __end_of_fixed_addresses) {
-		BUG();
-		return;
-	}
+	BUG_ON(idx <= FIX_HOLE || idx >= __end_of_fixed_addresses);
 
 	pte = fixmap_pte(addr);
author	Mark Rutland <mark.rutland@arm.com>	2015-03-04 13:27:35 +0000
committer	Will Deacon <will.deacon@arm.com>	2015-03-19 10:43:57 +0000
commit	b63dbef93f91d56cb4385fdd8d1765201d451136 (patch)
tree	f984f35a54b63029f2e8e5598a46adff3a726010
parent	19fc577579c86fec6e2523baeb457b02e939796f (diff)