| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Oct 2019 15:55:18 +0200
From: "Christian Brauner" <christian.brauner@...ntu.com>
To: "Jann Horn" <jannh@...gle.com>,
"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
Arve Hjønnevåg <arve@...roid.com>,
"Todd Kjos" <tkjos@...roid.com>,
"Martijn Coenen" <maco@...roid.com>,
"Joel Fernandes" <joel@...lfernandes.org>,
"Christian Brauner" <christian@...uner.io>, <jannh@...gle.com>
Cc: <devel@...verdev.osuosl.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 3/3] binder: Handle start==NULL in
binder_update_page_range()
On Fri Oct 18, 2019 at 10:56 PM Jann Horn wrote:
> The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
> continuing backwards to index -1 and crashing.
>
> Luckily you need to be highly privileged to map things at NULL, so it's not
> a big problem.
>
> Fix it by adjusting the loop so that the loop variable is always in bounds.
>
> This patch is deliberately minimal to simplify backporting, but IMO this
> function could use a refactor. The jump labels in the second loop body are
> horrible (the error gotos should be jumping to free_range instead), and
> both loops would look nicer if they just iterated upwards through indices.
> And the up_read()+mmput() shouldn't be duplicated like that.
>
> Cc: stable@...r.kernel.org
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Jann Horn <jannh@...gle.com>
Acked-by: Christian Brauner <christian.brauner@...ntu.com>
Powered by blists - more mailing lists