| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Dec 2019 19:58:48 +0800
From: Walter Wu <walter-zh.wu@...iatek.com>
To: Matthias Brugger <matthias.bgg@...il.com>,
Thomas Gleixner <tglx@...utronix.de>,
Alexander Potapenko <glider@...gle.com>,
Josh Poimboeuf <jpoimboe@...hat.com>
CC: <linux-kernel@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-mediatek@...ts.infradead.org>,
wsd_upstream <wsd_upstream@...iatek.com>,
Walter Wu <walter-zh.wu@...iatek.com>
Subject: [PATCH v2] lib/stackdepot: Fix global out-of-bounds in stackdepot
If the depot_index = STACK_ALLOC_MAX_SLABS - 2 and next_slab_inited = 0,
then it will cause array out-of-bounds access, so that we should modify
the detection to avoid this array out-of-bounds bug.
Assume depot_index = STACK_ALLOC_MAX_SLABS - 3
Consider following call flow sequence:
stack_depot_save()
depot_alloc_stack()
if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass
depot_index++ //depot_index = STACK_ALLOC_MAX_SLABS - 2
if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) //enter
smp_store_release(&next_slab_inited, 0); //next_slab_inited = 0
init_stack_slab()
if (stack_slabs[depot_index] == NULL) //enter
stack_depot_save()
depot_alloc_stack()
if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass
depot_index++ //depot_index = STACK_ALLOC_MAX_SLABS - 1
init_stack_slab(&prealloc)
stack_slabs[depot_index + 1] //here get global out-of-bounds
Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
---
changes in v2:
modify call flow sequence and preconditon
---
lib/stackdepot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/stackdepot.c b/lib/stackdepot.c
index ed717dd08ff3..7e8a15e41600 100644
--- a/lib/stackdepot.c
+++ b/lib/stackdepot.c
@@ -106,7 +106,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size,
required_size = ALIGN(required_size, 1 << STACK_ALLOC_ALIGN);
if (unlikely(depot_offset + required_size > STACK_ALLOC_SIZE)) {
- if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) {
+ if (unlikely(depot_index + 2 >= STACK_ALLOC_MAX_SLABS)) {
WARN_ONCE(1, "Stack depot reached limit capacity");
return NULL;
}
--
2.18.0
Powered by blists - more mailing lists