lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+fCnZd_eNHes56x3edzcYWeDKW2WRJYqrz_FyCks5wxtLdFdQ@mail.gmail.com>
Date: Wed, 28 Feb 2024 18:10:31 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Alexander Potapenko <glider@...gle.com>, 
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org, 
	Marco Elver <elver@...gle.com>
Subject: Re: [PATCH] lib/stackdepot: off by one in depot_fetch_stack()

On Fri, Feb 23, 2024 at 3:20 PM Dan Carpenter <dan.carpenter@...aroorg> wrote:
>
> The stack_pools[] array has DEPOT_MAX_POOLS.  The "pools_num" tracks the
> number of pools which are initialized.  See depot_init_pool() for more
> details.
>
> If pool_index == pools_num_cached, this will read one element beyond what
> we want.  If not all the pools are initialized, then the pool will be
> NULL, triggering a WARN(), and if they are all initialized it will read
> one element beyond the end of the array.
>
> Fixes: b29d31885814 ("lib/stackdepot: store free stack records in a freelist")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
> From static analysis.  What seems to have happened is that originally
> we stored the highest index instead of the number of elements and when
> we changed the > to >= comparison was overlooked.
>
>  lib/stackdepot.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/stackdepot.c b/lib/stackdepot.c
> index 8c795bb20afb..af6cc19a2003 100644
> --- a/lib/stackdepot.c
> +++ b/lib/stackdepot.c
> @@ -447,7 +447,7 @@ static struct stack_record *depot_fetch_stack(depot_stack_handle_t handle)
>
>         lockdep_assert_not_held(&pool_lock);
>
> -       if (pool_index > pools_num_cached) {
> +       if (pool_index >= pools_num_cached) {
>                 WARN(1, "pool index %d out of bounds (%d) for stack id %08x\n",
>                      pool_index, pools_num_cached, handle);
>                 return NULL;
> --
> 2.43.0
>

Hi Dan,

This patch needs to be rebased onto "lib/stackdepot: Fix first entry
having a 0-handle", which is now in mm-stable.

Thank you!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ