From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68F05C34026 for ; Tue, 18 Feb 2020 10:29:58 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 2B7E824649 for ; Tue, 18 Feb 2020 10:29:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="NZ1ysL5q" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2B7E824649 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id BC1776B0006; Tue, 18 Feb 2020 05:29:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B71456B0007; Tue, 18 Feb 2020 05:29:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AAE796B0008; Tue, 18 Feb 2020 05:29:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0152.hostedemail.com [216.40.44.152]) by kanga.kvack.org (Postfix) with ESMTP id 9564C6B0006 for ; Tue, 18 Feb 2020 05:29:57 -0500 (EST) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 297468248047 for ; Tue, 18 Feb 2020 10:29:57 +0000 (UTC) X-FDA: 76502877234.01.stone00_73f4cbd525b11 X-HE-Tag: stone00_73f4cbd525b11 X-Filterd-Recvd-Size: 4410 Received: from mail-vk1-f202.google.com (mail-vk1-f202.google.com [209.85.221.202]) by imf40.hostedemail.com (Postfix) with ESMTP for ; Tue, 18 Feb 2020 10:29:56 +0000 (UTC) Received: by mail-vk1-f202.google.com with SMTP id m25so7997206vko.19 for ; Tue, 18 Feb 2020 02:29:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=iFMlyeHGttjUhcpaQgvegXUs2yjGrXljf7FGfrTKpB0=; b=NZ1ysL5qugc/3X37eetnjj0xpj5LmrAGU6VZcpu9Yo9zYWWJ66uun9TR9igaF3j7+s KEzzy7HvW23h0CXkD3+NE4rQeZdtpx4cygwTKB3W5c7Kp0Rrk1oeFkJmZr+z7jhLzjOt CF2d5jclKNn6QPCuHhNGi9GVJyt+yWya0fxbjXQ2d2SrGJZZiG8hDHZ2Cp83QcFdEoFL 4iWUr8GuhVkagXrzjoYAv+u9lQUNPQTvlOXZLn7eb/6BZvqL5LY0776GGyQRya0P47CH 4GifpjOuiiJZRvJU6gXGC3bB/tfoPmDraXiGcugbF8H0aLDBExii3AJpd96bBMcm1F1i cNQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=iFMlyeHGttjUhcpaQgvegXUs2yjGrXljf7FGfrTKpB0=; b=ude+xflk5MVBvlWyUUj0ssqpkUPhP1ACiHeRY9FoRaK+6fZX3lNoJS/75DSzT4v6FN +r2GZea47AUh5eLpKicsLfXWbpiP+k3iV62oqcJszBjhIRdNojcutHnyrVyL1nKcdDSX 5Qz/Yk9IhXX9zPZxhZssCeT5cY9H/FAJYZ1WCtq0na1nUEjTlyKCq+MyVUABDsPdwrt4 T6APhzPT5mYuqbdH37zUAO3jXTK/WArqVptNy2QPawZemEyl33flcrpH28fu5y+IgflZ O9RMi6tEzgxAOTVIpmk86FheeAJA4pPMMJMqL2pVIaAKxNkROyHLEsGOr2Q1Hb2zwJFn t7ww== X-Gm-Message-State: APjAAAXYBrFBOjHUpG4HhtogrpzOjy4jIdfUCGm8f/RRY+9mdLkDcotO 2npGB/KaVdIO9/FeB314O6xzgfy8+yY= X-Google-Smtp-Source: APXvYqxowfQgxUN2ZQEB/fa/gfBwgXiw9zquEC3HgnT0ZhYx1w1FjWaZ09+eNdAo7Tiv6nemRTZpu/kBq3s= X-Received: by 2002:ab0:704b:: with SMTP id v11mr10129456ual.36.1582021796127; Tue, 18 Feb 2020 02:29:56 -0800 (PST) Date: Tue, 18 Feb 2020 11:29:50 +0100 Message-Id: <20200218102950.260263-1-glider@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.25.0.265.gbab2e86ba0-goog Subject: [PATCH] lib/stackdepot: fix global out-of-bounds in stack_slabs From: glider@google.com To: walter-zh.wu@mediatek.com, dvyukov@google.com, gregkh@linuxfoundation.org, akpm@linux-foundation.org Cc: matthias.bgg@gmail.com, tglx@linutronix.de, jpoimboe@redhat.com, kstewart@linuxfoundation.org, linux-mm@kvack.org, penguin-kernel@i-love.sakura.ne.jp, Alexander Potapenko Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Walter Wu has reported a potential case in which init_stack_slab() is called after stack_slabs[STACK_ALLOC_MAX_SLABS - 1] has already been initialized. In that case init_stack_slab() will overwrite stack_slabs[STACK_ALLOC_MAX_SLABS], which may result in a memory corruption. Fixes: cd11016e5f521 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Reported-by: Walter Wu Cc: Dmitry Vyukov Cc: Matthias Brugger Cc: Thomas Gleixner Cc: Josh Poimboeuf Cc: Kate Stewart Cc: Greg Kroah-Hartman Cc: Andrew Morton Signed-off-by: Alexander Potapenko --- v2: - prevent a leak of unused preallocated stack slab (spotted by Tetsuo Handa) --- lib/stackdepot.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/stackdepot.c b/lib/stackdepot.c index ed717dd08ff3..81c69c08d1d1 100644 --- a/lib/stackdepot.c +++ b/lib/stackdepot.c @@ -83,15 +83,19 @@ static bool init_stack_slab(void **prealloc) return true; if (stack_slabs[depot_index] == NULL) { stack_slabs[depot_index] = *prealloc; + *prealloc = NULL; } else { - stack_slabs[depot_index + 1] = *prealloc; + /* If this is the last depot slab, do not touch the next one. */ + if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) { + stack_slabs[depot_index + 1] = *prealloc; + *prealloc = NULL; + } /* * This smp_store_release pairs with smp_load_acquire() from * |next_slab_inited| above and in stack_depot_save(). */ smp_store_release(&next_slab_inited, 1); } - *prealloc = NULL; return true; } -- 2.25.0.265.gbab2e86ba0-goog