From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
To: Michael Ellerman <mpe@ellerman.id.au>, linuxppc-dev@lists.ozlabs.org
Cc: paulus@samba.org
Subject: Re: powerpc: Add out of bounds check to crash_shutdown_unregister()
Date: Mon, 9 May 2016 10:33:32 +1000 [thread overview]
Message-ID: <572FDADC.2070605@gmail.com> (raw)
In-Reply-To: <3qzTWq5vWxz9t4k@ozlabs.org>
On 03/05/16 15:00, Michael Ellerman wrote:
> On Thu, 2016-28-04 at 06:17:45 UTC, Suraj Jitindar Singh wrote:
>> When unregistering a crash_shutdown_handle in the function
>> crash_shutdown_unregister() the other handles are shifted down in the
>> array to replace the unregistered handle. The for loop assumes that the
>> last element in the array is null and uses this as the stop condition,
>> however in the case that the last element is not null there is no check
>> to ensure that an out of bounds access is not performed.
> But AFAICS the code ensures that entry will always be NULL. So there's no bug at
> the moment.
>
>> Add a check to terminate the shift operation when CRASH_HANDLER_MAX is
>> reached in order to protect against out of bounds accesses.
> Doing it this way is more robust though. The chance of the NULL terminator being
> corrupted is definitely higher than the code being corrupted, and if the latter
> happens we're probably toast anyway.
>
>> diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c
>> index 2bb252c..6b267af 100644
>> --- a/arch/powerpc/kernel/crash.c
>> +++ b/arch/powerpc/kernel/crash.c
>> @@ -288,7 +288,7 @@ int crash_shutdown_unregister(crash_shutdown_t handler)
>> rc = 1;
>> } else {
>> /* Shift handles down */
>> - for (; crash_shutdown_handles[i]; i++)
>> + for (; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++)
>> crash_shutdown_handles[i] =
>> crash_shutdown_handles[i+1];
>> rc = 0;
> So if I'm reading it right, with this change we have removed all the code that
> uses the NULL-terminated property of the list.
>
> If so we should also shrink the array to be only CRASH_HANDLER_MAX in size, and
> remove any references to it being NULL terminated.
>
> cheers
Thanks Michael, will change this to reflect that the list is no longer assumed to be null terminated.
prev parent reply other threads:[~2016-05-09 0:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-28 6:17 [PATCH] powerpc: Add out of bounds check to crash_shutdown_unregister() Suraj Jitindar Singh
2016-04-28 6:55 ` Balbir Singh
2016-04-28 7:18 ` Suraj Jitindar Singh
2016-04-28 7:52 ` Balbir Singh
2016-05-03 5:00 ` Michael Ellerman
2016-05-09 0:33 ` Suraj Jitindar Singh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=572FDADC.2070605@gmail.com \
--to=sjitindarsingh@gmail.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.