From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Ingo Molnar <mingo@elte.hu>,
David Rientjes <rientjes@google.com>
Subject: [patch 21/26] x86: avoid dereferencing beyond stack + THREAD_SIZE
Date: Sat, 18 Oct 2008 11:48:13 -0700 [thread overview]
Message-ID: <20081018184813.GV301@suse.de> (raw)
In-Reply-To: <20081018184708.GA301@suse.de>
[-- Attachment #1: x86-avoid-dereferencing-beyond-stack-thread_size.patch --]
[-- Type: text/plain, Size: 1293 bytes --]
2.6.26-stable review patch. If anyone has any objections, please let us
know.
------------------
From: David Rientjes <rientjes@google.com>
commit 60e6258cd43f9b06884f04f0f7cefb9c40f17a32 upstream
It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE
while iterating through instruction pointers if fp equals the upper boundary,
causing a kernel panic.
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kernel/process_64.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -740,12 +740,12 @@ unsigned long get_wchan(struct task_stru
if (!p || p == current || p->state==TASK_RUNNING)
return 0;
stack = (unsigned long)task_stack_page(p);
- if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE)
+ if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
return 0;
fp = *(u64 *)(p->thread.sp);
do {
if (fp < (unsigned long)stack ||
- fp > (unsigned long)stack+THREAD_SIZE)
+ fp >= (unsigned long)stack+THREAD_SIZE)
return 0;
ip = *(u64 *)(fp+8);
if (!in_sched_functions(ip))
--
next prev parent reply other threads:[~2008-10-18 19:17 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081018183853.004667035@mini.kroah.org>
2008-10-18 18:47 ` [patch 00/26] 2.6.26-stable review Greg KH
2008-10-18 18:47 ` [patch 01/26] x86: Reserve FIRST_DEVICE_VECTOR in used_vectors bitmap Greg KH
2008-10-18 18:47 ` [patch 02/26] x86: improve UP kernel when CPU-hotplug and SMP is enabled Greg KH
2008-10-18 18:47 ` [patch 03/26] x86, early_ioremap: fix fencepost error Greg KH
2008-10-18 18:47 ` [patch 04/26] tty: Termios locking - sort out real_tty confusions and lock reads Greg KH
2008-10-18 18:47 ` [patch 05/26] sched_rt.c: resch needed in rt_rq_enqueue() for the root rt_rq Greg KH
2008-10-18 18:47 ` [patch 06/26] CIFS: make sure we have the right resume info before calling CIFSFindNext Greg KH
2008-10-18 18:47 ` [patch 07/26] b43legacy: Fix failure in rate-adjustment mechanism Greg KH
2008-10-18 18:47 ` [patch 08/26] modules: fix module "notes" kobject leak Greg KH
2008-10-18 18:47 ` [patch 09/26] fbcon_set_all_vcs: fix kernel crash when switching the rotated consoles Greg KH
2008-10-18 18:47 ` [patch 10/26] libata: always do follow-up SRST if hardreset returned -EAGAIN Greg KH
2008-10-18 18:47 ` [patch 11/26] libata: fix EH action overwriting in ata_eh_reset() Greg KH
2008-10-18 18:47 ` [patch 12/26] libata: LBA28/LBA48 off-by-one bug in ata.h Greg KH
2008-10-18 18:47 ` [patch 13/26] V4L: bttv: Prevent NULL pointer dereference in radio_open Greg KH
2008-10-18 18:47 ` [patch 14/26] V4L: zr36067: Fix RGBR pixel format Greg KH
2008-10-18 18:47 ` [patch 15/26] Dont allow splice() to files opened with O_APPEND Greg KH
2008-10-18 18:48 ` [patch 16/26] V4L/DVB (8498): uvcvideo: Return sensible min and max values when querying a boolean control Greg KH
2008-10-18 18:48 ` [patch 17/26] V4L/DVB (8617): uvcvideo: dont use stack-based buffers for USB transfers Greg KH
2008-10-18 18:48 ` [patch 19/26] PCI: disable ASPM per ACPI FADT setting Greg KH
2008-10-18 18:48 ` [patch 20/26] PCI: disable ASPM on pre-1.1 PCIe devices Greg KH
2008-10-18 18:48 ` [patch 18/26] V4L/DVB (9053): fix buffer overflow in uvc-video Greg KH
2008-10-18 18:48 ` Greg KH [this message]
2008-10-18 18:48 ` [patch 22/26] Check mapped ranges on sysfs resource files Greg KH
2008-10-18 18:48 ` [patch 23/26] hwmon: (it87) Prevent power-off on Shuttle SN68PT Greg KH
2008-10-18 18:48 ` [patch 24/26] ACPI: Ignore _BQC object when registering backlight device Greg KH
2008-10-18 18:48 ` [patch 25/26] drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) Greg KH
2008-10-18 18:48 ` [patch 26/26] DVB: au0828: add support for another USB id for Hauppauge HVR950Q Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081018184813.GV301@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=rientjes@google.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.