| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241218081800.05d81fe4@gandalf.local.home> Date: Wed, 18 Dec 2024 08:18:00 -0500 From: Steven Rostedt <rostedt@...dmis.org> To: Edward Adam Davis <eadavis@...com> Cc: vdonnefort@...gle.com, aha310510@...il.com, david@...hat.com, linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, mathieu.desnoyers@...icios.com, mhiramat@...nel.org, syzbot+345e4443a21200874b18@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH V2] ring-buffer: fix overflow in __rb_map_vma On Wed, 18 Dec 2024 19:42:22 +0800 Edward Adam Davis <eadavis@...com> wrote: > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c > index 7e257e855dd1..20f0e01b7a50 100644 > --- a/kernel/trace/ring_buffer.c > +++ b/kernel/trace/ring_buffer.c > @@ -7019,7 +7019,11 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *cpu_buffer, > lockdep_assert_held(&cpu_buffer->mapping_lock); > > nr_subbufs = cpu_buffer->nr_pages + 1; /* + reader-subbuf */ > - nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */ > + nr_pages = ((nr_subbufs + 1) << subbuf_order); /* + meta-page */ > + if (nr_pages < pgoff) That probably should be <= as if it was equal... > + return -EINVAL; > + > + nr_pages -= pgoff; nr_pages would be zero and > > nr_vma_pages = vma_pages(vma); > if (!nr_vma_pages || nr_vma_pages > nr_pages) this would return true, which the next line is: return -EINVAL; Why not catch it before going through all that? -- Steve > --
Powered by blists - more mailing lists