lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20121129170241.GT2474@linux.vnet.ibm.com>
Date:	Thu, 29 Nov 2012 09:02:41 -0800
From:	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
To:	Markus Trippelsdorf <markus@...ppelsdorf.de>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: kernel/rcutree.c:2850:13: warning: array subscript is above
 array bounds

On Thu, Nov 29, 2012 at 02:47:52PM +0100, Markus Trippelsdorf wrote:
> With gcc-4.8 I get:
> 
>   CC      kernel/rcutree.o
>   kernel/rcutree.c: In function ‘rcu_init_one’:
>   kernel/rcutree.c:2850:13: warning: array subscript is above array bounds [-Warray-bounds]
>      rsp->level[i] = rsp->level[i - 1] + rsp->levelcnt[i - 1];
>                   ^
> 2849    for (i = 1; i < rcu_num_lvls; i++)
> 2850           rsp->level[i] = rsp->level[i - 1] + rsp->levelcnt[i - 1];
> 
> At first I thought that the warning was bogus, but rcu_num_lvls isn't static
> and gets modified prior to the for loop.

You are quite correct that rcu_num_lvls does get modified, but there
are checks in rcu_init_geometry() to ensure that it does not increase:

	/*
	 * The boot-time rcu_fanout_leaf parameter is only permitted
	 * to increase the leaf-level fanout, not decrease it.  Of course,
	 * the leaf-level fanout cannot exceed the number of bits in
	 * the rcu_node masks.  Finally, the tree must be able to accommodate
	 * the configured number of CPUs.  Complain and fall back to the
	 * compile-time values if these limits are exceeded.
	 */
	if (rcu_fanout_leaf < CONFIG_RCU_FANOUT_LEAF ||
	    rcu_fanout_leaf > sizeof(unsigned long) * 8 ||
	    n > rcu_capacity[MAX_RCU_LVLS]) {
		WARN_ON(1);
		return;
	}

The value of rcu_num_lvls starts out at RCU_NUM_LVLS, the same as
the dimension of the ->level[] array.  The loop goes only to one less
than rcu_num_lvls, as needed, and rcu_num_lvls is never greater than
RCU_NUM_LVLS, so this should be safe.

So what am I missing here?

							Thanx, Paul

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ