| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1499259199-15161-1-git-send-email-liangchen.linux@gmail.com>
Date: Wed, 5 Jul 2017 20:53:19 +0800
From: Liang Chen <liangchen.linux@...il.com>
To: linux-bcache@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, colyli@...e.de,
bcache@...ux.ewheeler.net, Liang Chen <liangchen.linux@...il.com>
Subject: [PATCH] bcache: avoid a dangerous addressing in closure_queue
The use of the union reduces the size of closure struct by taking advantage
of the current size of its members. The offset of func in work_struct equals
the size of the first three members, so that work.work_func will just
reference the forth member - the pointer to closure_fn.
This is smart but dangerous. It can be broken if work_struct or the other
ones get changed, and can be a bit difficult to debug.
Signed-off-by: Liang Chen <liangchen.linux@...il.com>
---
drivers/md/bcache/closure.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h
index 1ec84ca..665c470 100644
--- a/drivers/md/bcache/closure.h
+++ b/drivers/md/bcache/closure.h
@@ -251,8 +251,9 @@ static inline void set_closure_fn(struct closure *cl, closure_fn *fn,
static inline void closure_queue(struct closure *cl)
{
struct workqueue_struct *wq = cl->wq;
+ closure_fn *fn = cl->fn;
if (wq) {
- INIT_WORK(&cl->work, cl->work.func);
+ INIT_WORK(&cl->work, (work_func_t)fn);
BUG_ON(!queue_work(wq, &cl->work));
} else
cl->fn(cl);
--
1.8.3.1
Powered by blists - more mailing lists