Date: Tue, 10 Sep 2013 15:06:38 -0700
From: Andi Kleen <ak@linux.intel.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: LKML <linux-kernel@vger.kernel.org>, Paul Turner <pjt@google.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Kostya Serebryany <kcc@google.com>
Subject: Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)
Message-ID: <20130910220638.GG11427@tassilo.jf.intel.com>
References: <CACT4Y+Y6r=HV7nFgbu=B=d-4ka3J4yotRjgX1M1xGkNkFn1sOQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+Y6r=HV7nFgbu=B=d-4ka3J4yotRjgX1M1xGkNkFn1sOQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 859
Lines: 26

> Indeed, get_wchan ensures that fp<stack+THREAD_SIZE, but then dereferences fp+8:
> 
> 434                 if (fp < (unsigned long)stack ||
> 435                     fp >= (unsigned long)stack+THREAD_SIZE)
> 436                         return 0;
> 437                 ip = *(u64 *)(fp+8);
> 
> It must check that fp+8<stack+THREAD_SIZE.
> As far as I see, the bug can lead to garbage return values or in the
> worst case to crash.

Thanks for the report.

The change looks good to me. Can you please submit a formal signed off patch
to x86@kernel.org ?

-Andi


-- 
ak@linux.intel.com -- Speaking for myself only
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/