[PATCH] x86/mpx: Fix off-by-one comparison with nr

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] x86/mpx: Fix off-by-one comparison with nr_registers
@ 2016-02-26 18:55 Colin King
  2016-02-26 19:08 ` Dave Hansen
  2016-02-26 21:15 ` [tip:x86/urgent] " tip-bot for Colin Ian King
  0 siblings, 2 replies; 3+ messages in thread
From: Colin King @ 2016-02-26 18:55 UTC (permalink / raw)
  To: Thomas Gleixner, Ingo Molnar, H . Peter Anvin, x86, Dave Hansen,
	Borislav Petkov, Kirill A . Shutemov
  Cc: linux-kernel

From: Colin Ian King <colin.king@canonical.com>

In the unlikely event that regno == nr_registers then we get an array
overrun on regoff because the invalid register check is currently
off-by-one. Fix this with a check that regno is >= nr_registers instead.

Detected with static analysis using CoverityScan.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 arch/x86/mm/mpx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index 5584397..8047687 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -123,7 +123,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
 		break;
 	}
 
-	if (regno > nr_registers) {
+	if (regno >= nr_registers) {
 		WARN_ONCE(1, "decoded an instruction with an invalid register");
 		return -EINVAL;
 	}
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] x86/mpx: Fix off-by-one comparison with nr_registers
  2016-02-26 18:55 [PATCH] x86/mpx: Fix off-by-one comparison with nr_registers Colin King
@ 2016-02-26 19:08 ` Dave Hansen
  2016-02-26 21:15 ` [tip:x86/urgent] " tip-bot for Colin Ian King
  1 sibling, 0 replies; 3+ messages in thread
From: Dave Hansen @ 2016-02-26 19:08 UTC (permalink / raw)
  To: Colin King, Thomas Gleixner, Ingo Molnar, H . Peter Anvin, x86,
	Borislav Petkov, Kirill A . Shutemov
  Cc: linux-kernel

On 02/26/2016 10:55 AM, Colin King wrote:
> In the unlikely event that regno == nr_registers then we get an array
> overrun on regoff because the invalid register check is currently
> off-by-one. Fix this with a check that regno is >= nr_registers instead.
> 
> Detected with static analysis using CoverityScan.

Oh, the irony of an overrun in the MPX code!  Thanks for catching this.

Acked-by: Dave Hansen <dave.hansen@intel.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [tip:x86/urgent] x86/mpx: Fix off-by-one comparison with nr_registers
  2016-02-26 18:55 [PATCH] x86/mpx: Fix off-by-one comparison with nr_registers Colin King
  2016-02-26 19:08 ` Dave Hansen
@ 2016-02-26 21:15 ` tip-bot for Colin Ian King
  1 sibling, 0 replies; 3+ messages in thread
From: tip-bot for Colin Ian King @ 2016-02-26 21:15 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: kirill.shutemov, bp, hpa, mingo, linux-kernel, colin.king, tglx,
	dave.hansen

Commit-ID:  9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5
Gitweb:     http://git.kernel.org/tip/9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5
Author:     Colin Ian King <colin.king@canonical.com>
AuthorDate: Fri, 26 Feb 2016 18:55:31 +0000
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 26 Feb 2016 22:12:47 +0100

x86/mpx: Fix off-by-one comparison with nr_registers

In the unlikely event that regno == nr_registers then we get an array
overrun on regoff because the invalid register check is currently
off-by-one. Fix this with a check that regno is >= nr_registers instead.

Detected with static analysis using CoverityScan.

Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information"
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1456512931-3388-1-git-send-email-colin.king@canonical.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 arch/x86/mm/mpx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index b2fd67d..ef05755 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -123,7 +123,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
 		break;
 	}
 
-	if (regno > nr_registers) {
+	if (regno >= nr_registers) {
 		WARN_ONCE(1, "decoded an instruction with an invalid register");
 		return -EINVAL;
 	}

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-02-26 21:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-26 18:55 [PATCH] x86/mpx: Fix off-by-one comparison with nr_registers Colin King
2016-02-26 19:08 ` Dave Hansen
2016-02-26 21:15 ` [tip:x86/urgent] " tip-bot for Colin Ian King

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.