From: Artem Bityutskiy <dedekind1@gmail.com>
To: Don Mullis <don.mullis@gmail.com>
Cc: linux-kernel@vger.kernel.org, David Airlie <airlied@linux.ie>,
Dave Chinner <david@fromorbit.com>
Subject: [PATCH] lib/list_sort: do not pass bad pointers to cmp callback
Date: Sat, 21 Aug 2010 13:06:22 +0300 [thread overview]
Message-ID: <1282385182.2358.41.camel@localhost> (raw)
In-Reply-To: <AANLkTikEN_RBQeOTKxjLp2sud1qyCjFtWSXVXXMc79zw@mail.gmail.com>
From: Don Mullis <don.mullis@gmail.com>
If the original list is a POT in length, the first callback from line 73 will
pass a==b both pointing to the original list_head. This is dangerous because
the 'list_sort()' user can use 'container_of()' and accesses the "containing"
object, which does not necessary exist for the list head. So the user can
access RAM which does not belong to him. If this is a write access, we can end
up with memory corruption. This patch fixes the issue.
Signed-off-by: Don Mullis <don.mullis@gmail.com>
Tested-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: stable@kernel.org
---
lib/list_sort.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/list_sort.c b/lib/list_sort.c
index 4b5cb79..a7616fa 100644
--- a/lib/list_sort.c
+++ b/lib/list_sort.c
@@ -70,7 +70,7 @@ static void merge_and_restore_back_links(void *priv,
* element comparison is needed, so the client's cmp()
* routine can invoke cond_resched() periodically.
*/
- (*cmp)(priv, tail, tail);
+ (*cmp)(priv, tail->next, tail->next);
tail->next->prev = tail;
tail = tail->next;
--
1.7.1.1
--
Best Regards,
Artem Bityutskiy (Артём Битюцкий)
next prev parent reply other threads:[~2010-08-21 10:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-07 8:10 [PATCH 0/6] improve list_sort test Artem Bityutskiy
2010-08-07 8:10 ` [PATCH 1/6] lib/Kconfig.debug: add list_sort debugging switch Artem Bityutskiy
2010-08-07 8:10 ` [PATCH 2/6] lib/list_sort: test: use more reasonable printk levels Artem Bityutskiy
2010-08-07 8:10 ` [PATCH 3/6] lib/list_sort: test: use generic random32 Artem Bityutskiy
2010-08-07 8:10 ` [PATCH 4/6] lib/list_sort: test: improve errors handling Artem Bityutskiy
2010-08-07 8:10 ` [PATCH 5/6] lib/list_sort: test: unify test messages Artem Bityutskiy
2010-08-07 8:10 ` [PATCH 6/6] lib/list_sort: test: check element addresses Artem Bityutskiy
2010-08-08 10:03 ` [PATCH 0/6] improve list_sort test Artem Bityutskiy
2010-08-08 19:31 ` Don Mullis
2010-08-08 20:07 ` Don Mullis
2010-08-09 5:59 ` Artem Bityutskiy
2010-08-21 9:56 ` Artem Bityutskiy
2010-08-21 10:03 ` Artem Bityutskiy
2010-08-21 10:06 ` Artem Bityutskiy [this message]
2010-08-21 9:32 ` Artem Bityutskiy
2010-08-21 10:22 ` Artem Bityutskiy
2010-08-21 16:59 ` don.mullis
2010-08-21 17:48 ` Artem Bityutskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1282385182.2358.41.camel@localhost \
--to=dedekind1@gmail.com \
--cc=airlied@linux.ie \
--cc=david@fromorbit.com \
--cc=don.mullis@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.