lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5d74dbd9-99e4-4ebe-a9a0-bd8f571d0f56@moroto.mountain>
Date: Thu, 29 Feb 2024 10:22:23 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Andrey Konovalov <andreyknvl@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
	Alexander Potapenko <glider@...gle.com>,
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
	Marco Elver <elver@...gle.com>
Subject: Re: [PATCH] lib/stackdepot: off by one in depot_fetch_stack()

On Wed, Feb 28, 2024 at 06:10:31PM +0100, Andrey Konovalov wrote:
> On Fri, Feb 23, 2024 at 3:20 PM Dan Carpenter <dan.carpenter@...aro.org> wrote:
> >
> > The stack_pools[] array has DEPOT_MAX_POOLS.  The "pools_num" tracks the
> > number of pools which are initialized.  See depot_init_pool() for more
> > details.
> >
> > If pool_index == pools_num_cached, this will read one element beyond what
> > we want.  If not all the pools are initialized, then the pool will be
> > NULL, triggering a WARN(), and if they are all initialized it will read
> > one element beyond the end of the array.
> >
> > Fixes: b29d31885814 ("lib/stackdepot: store free stack records in a freelist")
> > Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> > ---
> > From static analysis.  What seems to have happened is that originally
> > we stored the highest index instead of the number of elements and when
> > we changed the > to >= comparison was overlooked.
> >
> >  lib/stackdepot.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/stackdepot.c b/lib/stackdepot.c
> > index 8c795bb20afb..af6cc19a2003 100644
> > --- a/lib/stackdepot.c
> > +++ b/lib/stackdepot.c
> > @@ -447,7 +447,7 @@ static struct stack_record *depot_fetch_stack(depot_stack_handle_t handle)
> >
> >         lockdep_assert_not_held(&pool_lock);
> >
> > -       if (pool_index > pools_num_cached) {
> > +       if (pool_index >= pools_num_cached) {
> >                 WARN(1, "pool index %d out of bounds (%d) for stack id %08x\n",
> >                      pool_index, pools_num_cached, handle);
> >                 return NULL;
> > --
> > 2.43.0
> >
> 
> Hi Dan,
> 
> This patch needs to be rebased onto "lib/stackdepot: Fix first entry
> having a 0-handle", which is now in mm-stable.

I wrote it on top of that patch...  Backports will need to be adjusted
to handle it, I guess.  The "lib/stackdepot: fix first entry having a
0-handle" commit has this note:

    This bug has been lurking since the very beginning of stackdepot, but no
    one really cared as it seems.  Because of that I am not adding a Fixes
    tag.

I don't really know the code very well so I can't respond to that.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ