Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756238Ab3IKSQy (ORCPT ); Wed, 11 Sep 2013 14:16:54 -0400 Received: from mail-ie0-f179.google.com ([209.85.223.179]:39543 "EHLO mail-ie0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753588Ab3IKSQx (ORCPT ); Wed, 11 Sep 2013 14:16:53 -0400 MIME-Version: 1.0 In-Reply-To: <20130910220638.GG11427@tassilo.jf.intel.com> References: <20130910220638.GG11427@tassilo.jf.intel.com> From: Dmitry Vyukov Date: Wed, 11 Sep 2013 22:16:32 +0400 Message-ID: Subject: Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c) To: Andi Kleen , Wolfram Gloger Cc: LKML , Paul Turner , Andrey Konovalov , Kostya Serebryany Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 977 Lines: 26 On Wed, Sep 11, 2013 at 2:06 AM, Andi Kleen wrote: >> Indeed, get_wchan ensures that fp> >> 434 if (fp < (unsigned long)stack || >> 435 fp >= (unsigned long)stack+THREAD_SIZE) >> 436 return 0; >> 437 ip = *(u64 *)(fp+8); >> >> It must check that fp+8> As far as I see, the bug can lead to garbage return values or in the >> worst case to crash. > > Thanks for the report. > > The change looks good to me. Can you please submit a formal signed off patch > to x86@kernel.org ? Hi Andi, Wolfram has a patch for it. Wolfram, please send your patch to x86@kernel.org. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/