lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Apr 2019 18:53:51 -0700 From: "Luck, Tony" <tony.luck@...el.com> To: Cong Wang <xiyou.wangcong@...il.com> Cc: Borislav Petkov <bp@...en8.de>, LKML <linux-kernel@...r.kernel.org>, linux-edac@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem() On Tue, Apr 16, 2019 at 04:47:55PM -0700, Cong Wang wrote: > 229 static void del_elem(struct ce_array *ca, int idx) > 230 { > 231 /* Save us a function call when deleting the last element. */ > 232 if (ca->n - (idx + 1)) > 233 memmove((void *)&ca->array[idx], > 234 (void *)&ca->array[idx + 1], > 235 (ca->n - (idx + 1)) * sizeof(u64)); > 236 > 237 ca->n--; > 238 } > > idx is ca->n and ca->n is MAX_ELEMS-1, then the above if statement > becomes true, therefore idx+1 is MAX_ELEMS which is just beyond > the valid range. Is that really the memmove() where we die? It looks like it has a special case for dealing with the last element. But this: 296 ret = find_elem(ca, pfn, &to); 297 if (ret < 0) { 298 /* 299 * Shift range [to-end] to make room for one more element. 300 */ 301 memmove((void *)&ca->array[to + 1], 302 (void *)&ca->array[to], 303 (ca->n - to) * sizeof(u64)); 304 looks like it also needs a special case for when "to == MAX_ELEMS-1" (we don't need to memmove). -Tony
Powered by blists - more mailing lists