From: tip-bot for Colin Ian King <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: kirill.shutemov@linux.intel.com, bp@alien8.de, hpa@zytor.com,
mingo@kernel.org, linux-kernel@vger.kernel.org,
colin.king@canonical.com, tglx@linutronix.de,
dave.hansen@linux.intel.com
Subject: [tip:x86/urgent] x86/mpx: Fix off-by-one comparison with nr_registers
Date: Fri, 26 Feb 2016 13:15:43 -0800 [thread overview]
Message-ID: <tip-9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5@git.kernel.org> (raw)
In-Reply-To: <1456512931-3388-1-git-send-email-colin.king@canonical.com>
Commit-ID: 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5
Gitweb: http://git.kernel.org/tip/9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5
Author: Colin Ian King <colin.king@canonical.com>
AuthorDate: Fri, 26 Feb 2016 18:55:31 +0000
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 26 Feb 2016 22:12:47 +0100
x86/mpx: Fix off-by-one comparison with nr_registers
In the unlikely event that regno == nr_registers then we get an array
overrun on regoff because the invalid register check is currently
off-by-one. Fix this with a check that regno is >= nr_registers instead.
Detected with static analysis using CoverityScan.
Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information"
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1456512931-3388-1-git-send-email-colin.king@canonical.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
arch/x86/mm/mpx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index b2fd67d..ef05755 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -123,7 +123,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
break;
}
- if (regno > nr_registers) {
+ if (regno >= nr_registers) {
WARN_ONCE(1, "decoded an instruction with an invalid register");
return -EINVAL;
}
prev parent reply other threads:[~2016-02-26 21:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-26 18:55 [PATCH] x86/mpx: Fix off-by-one comparison with nr_registers Colin King
2016-02-26 19:08 ` Dave Hansen
2016-02-26 21:15 ` tip-bot for Colin Ian King [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5@git.kernel.org \
--to=tipbot@zytor.com \
--cc=bp@alien8.de \
--cc=colin.king@canonical.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.