Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 20 Nov 2002 03:46:42 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 20 Nov 2002 03:46:42 -0500 Received: from thebsh.namesys.com ([212.16.7.65]:62217 "HELO thebsh.namesys.com") by vger.kernel.org with SMTP id ; Wed, 20 Nov 2002 03:46:38 -0500 From: Nikita Danilov MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15835.19857.377606.242310@laputa.namesys.com> Date: Wed, 20 Nov 2002 11:53:37 +0300 X-PGP-Fingerprint: 43CE 9384 5A1D CD75 5087 A876 A1AA 84D0 CCAA AC92 X-PGP-Key-ID: CCAAAC92 X-PGP-Key-At: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xCCAAAC92 To: acc@cs.stanford.edu Cc: mc@cs.stanford.edu, linux-kernel@vger.kernel.org Subject: Re: [CHECKER] 74 potential buffer overruns in 2.5.33 In-Reply-To: <20021119234531.GA2723@Xenon.stanford.edu> References: <20021119234531.GA2723@Xenon.stanford.edu> X-Mailer: VM 7.07 under 21.5 (beta6) "bok choi" XEmacs Lucid Tomato: Green Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1578 Lines: 50 Andy Chou writes: > Here are 74 out-of-bounds array accesses in Linux 2.5.33 found by the > MC checker. This checker only considers statically allocated arrays > with indices that can be calculated at compile time. > > The code fragment in each description below is incomplete; you'll need > to look at the source in some cases to determine if the report is > really a bug. > > We'd appreciate any feedback -- even if it's not a bug. > > -Andy Chou > > > # BUGs | File Name > 4 | /isdn/isdn_common.c > 4 | /message/i2o_block.c > 4 | /net/sch_gred.c [...] > --------------------------------------------------------- > [BUG] Not really sure. Maybe just missing an assert? > /home/acc/linux/2.5.33/fs/reiserfs/fix_node.c:2400:fix_nodes: > ERROR:BUFFER:2400:2400:Array bounds error: p_s_tb->insert_size[5] indexed > with [5] > become the root node. */ > > RFALSE( n_h == MAX_HEIGHT - 1, > "PAP-8355: attempt to create too high of a > tree"); RFALSE asserts that (n_h == MAX_HEIGHT - 1) is false. It is only compiled conditionally, though. Hmm, and trees are rather tall than high. > > > Error ---> > p_s_tb->insert_size[n_h + 1] = (DC_SIZE + KEY_SIZE) * > (p_s_tb->blknum[n_h] - 1) + DC_SIZE; > } > else > if ( n_h < MAX_HEIGHT - 1 ) Nikita. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/