From: fuqiang wang <fuqiang.wang@easystack.cn>
To: Baoquan He <bhe@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
Dave Young <dyoung@redhat.com>, Yuntao Wang <ytcoode@gmail.com>
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/2] kexec: Fix potential out of bounds in crash_exclude_mem_range()
Date: Wed, 20 Dec 2023 13:57:32 +0800 [thread overview]
Message-ID: <20231220055733.100325-3-fuqiang.wang@easystack.cn> (raw)
In-Reply-To: <20231220055733.100325-1-fuqiang.wang@easystack.cn>
When the split does not occur on the last array member, the current code
will not return an error. So the correct array out-of-bounds check should
be mem->nr_ranges >= mem->max_nr_ranges.
When the OOB happen, the cmem->ranges[] have changed, so return early to
avoid it.
Signed-off-by: fuqiang wang <fuqiang.wang@easystack.cn>
---
kernel/crash_core.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/crash_core.c b/kernel/crash_core.c
index d4313b53837e..b1ab61c74fd2 100644
--- a/kernel/crash_core.c
+++ b/kernel/crash_core.c
@@ -611,6 +611,9 @@ int crash_exclude_mem_range(struct crash_mem *mem,
}
if (p_start > start && p_end < end) {
+ /* Split happened */
+ if (mem->nr_ranges >= mem->max_nr_ranges)
+ return -ENOMEM;
/* Split original range */
mem->ranges[i].end = p_start - 1;
temp_range.start = p_end + 1;
@@ -626,10 +629,6 @@ int crash_exclude_mem_range(struct crash_mem *mem,
if (!temp_range.end)
return 0;
- /* Split happened */
- if (i == mem->max_nr_ranges - 1)
- return -ENOMEM;
-
/* Location where new range should go */
j = i + 1;
if (j < mem->nr_ranges) {
--
2.42.0
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: fuqiang wang <fuqiang.wang@easystack.cn>
To: Baoquan He <bhe@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
Dave Young <dyoung@redhat.com>, Yuntao Wang <ytcoode@gmail.com>
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/2] kexec: Fix potential out of bounds in crash_exclude_mem_range()
Date: Wed, 20 Dec 2023 13:57:32 +0800 [thread overview]
Message-ID: <20231220055733.100325-3-fuqiang.wang@easystack.cn> (raw)
In-Reply-To: <20231220055733.100325-1-fuqiang.wang@easystack.cn>
When the split does not occur on the last array member, the current code
will not return an error. So the correct array out-of-bounds check should
be mem->nr_ranges >= mem->max_nr_ranges.
When the OOB happen, the cmem->ranges[] have changed, so return early to
avoid it.
Signed-off-by: fuqiang wang <fuqiang.wang@easystack.cn>
---
kernel/crash_core.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/crash_core.c b/kernel/crash_core.c
index d4313b53837e..b1ab61c74fd2 100644
--- a/kernel/crash_core.c
+++ b/kernel/crash_core.c
@@ -611,6 +611,9 @@ int crash_exclude_mem_range(struct crash_mem *mem,
}
if (p_start > start && p_end < end) {
+ /* Split happened */
+ if (mem->nr_ranges >= mem->max_nr_ranges)
+ return -ENOMEM;
/* Split original range */
mem->ranges[i].end = p_start - 1;
temp_range.start = p_end + 1;
@@ -626,10 +629,6 @@ int crash_exclude_mem_range(struct crash_mem *mem,
if (!temp_range.end)
return 0;
- /* Split happened */
- if (i == mem->max_nr_ranges - 1)
- return -ENOMEM;
-
/* Location where new range should go */
j = i + 1;
if (j < mem->nr_ranges) {
--
2.42.0
next prev parent reply other threads:[~2023-12-20 5:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 5:57 [PATCH v2 0/2] kexec: fix potential cmem->ranges out of bounds fuqiang wang
2023-12-20 5:57 ` fuqiang wang
2023-12-20 5:57 ` [PATCH v2 1/2] x86/kexec: Fix potential out of bounds in crash_setup_memmap_entries() fuqiang wang
2023-12-20 5:57 ` fuqiang wang
2023-12-21 13:14 ` Baoquan He
2023-12-21 13:14 ` Baoquan He
2023-12-22 11:41 ` fuqiang wang
2023-12-22 11:41 ` fuqiang wang
2023-12-20 5:57 ` fuqiang wang [this message]
2023-12-20 5:57 ` [PATCH v2 2/2] kexec: Fix potential out of bounds in crash_exclude_mem_range() fuqiang wang
2023-12-21 11:42 ` Baoquan He
2023-12-21 11:42 ` Baoquan He
2023-12-22 11:08 ` fuqiang wang
2023-12-22 11:08 ` fuqiang wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231220055733.100325-3-fuqiang.wang@easystack.cn \
--to=fuqiang.wang@easystack.cn \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vgoyal@redhat.com \
--cc=ytcoode@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.