From: Balbir Singh <bsingharora@gmail.com>
To: Suraj Jitindar Singh <sjitindarsingh@gmail.com>,
linuxppc-dev@lists.ozlabs.org
Cc: paulus@samba.org
Subject: Re: [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister()
Date: Thu, 28 Apr 2016 16:55:13 +1000 [thread overview]
Message-ID: <5721B3D1.2060007@gmail.com> (raw)
In-Reply-To: <1461824265-30592-1-git-send-email-sjitindarsingh@gmail.com>
On 28/04/16 16:17, Suraj Jitindar Singh wrote:
> When unregistering a crash_shutdown_handle in the function
> crash_shutdown_unregister() the other handles are shifted down in the
> array to replace the unregistered handle. The for loop assumes that the
> last element in the array is null and uses this as the stop condition,
> however in the case that the last element is not null there is no check
> to ensure that an out of bounds access is not performed.
>
> Add a check to terminate the shift operation when CRASH_HANDLER_MAX is
> reached in order to protect against out of bounds accesses.
>
> Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
> ---
> arch/powerpc/kernel/crash.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
> index 2bb252c..6b267af 100644
> --- a/arch/powerpc/kernel/crash.c
> +++ b/arch/powerpc/kernel/crash.c
> @@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t handler)
> rc = 1;
> } else {
> /* Shift handles down */
> - for (; crash_shutdown_handles[i]; i++)
> + for (; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++)
> crash_shutdown_handles[i] =
> crash_shutdown_handles[i+1];
> rc = 0;
>
with i = CRASH_HANDLER_MAX-1 we could end up with crash_shutdown_handles[i+1] already out of bounds
I think you need to check that i+1 does not overflow
Balbir
next prev parent reply other threads:[~2016-04-28 6:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-28 6:17 [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister() Suraj Jitindar Singh
2016-04-28 6:55 ` Balbir Singh [this message]
2016-04-28 7:18 ` Suraj Jitindar Singh
2016-04-28 7:52 ` Balbir Singh
2016-05-03 5:00 ` Michael Ellerman
2016-05-09 0:33 ` Suraj Jitindar Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5721B3D1.2060007@gmail.com \
--to=bsingharora@gmail.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@samba.org \
--cc=sjitindarsingh@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.