[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130927190312.GV21253@outflux.net>
Date: Fri, 27 Sep 2013 12:03:12 -0700
From: Kees Cook <kees@...flux.net>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Andi Kleen <ak@...ux.intel.com>, Wolfram Gloger <wg@...loc.de>,
LKML <linux-kernel@...r.kernel.org>,
Paul Turner <pjt@...gle.com>,
Andrey Konovalov <andreyknvl@...gle.com>,
Kostya Serebryany <kcc@...gle.com>, x86@...nel.org
Subject: Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)
On Wed, Sep 11, 2013 at 10:16:32PM +0400, Dmitry Vyukov wrote:
> On Wed, Sep 11, 2013 at 2:06 AM, Andi Kleen <ak@...ux.intel.com> wrote:
> >> Indeed, get_wchan ensures that fp<stack+THREAD_SIZE, but then dereferences fp+8:
> >>
> >> 434 if (fp < (unsigned long)stack ||
> >> 435 fp >= (unsigned long)stack+THREAD_SIZE)
> >> 436 return 0;
> >> 437 ip = *(u64 *)(fp+8);
> >>
> >> It must check that fp+8<stack+THREAD_SIZE.
> >> As far as I see, the bug can lead to garbage return values or in the
> >> worst case to crash.
> >
> > Thanks for the report.
> >
> > The change looks good to me. Can you please submit a formal signed off patch
> > to x86@...nel.org ?
Can you CC this to lkml as well? x86@ isn't a public list, IIUC.
Please note that these bounds checks aren't correct to begin with. Since
a pointer is being dereferenced, the end boundry must be reduced by
sizeof(unsigned long) as well.
It looks like process_32.c suffers the same problems, too.
-Kees
--
Kees Cook @outflux.net
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists