Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp2091572pxb; Fri, 8 Oct 2021 00:06:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbh3AX0T5GlcyE56S1g5MBPQydpTSSdzD5r6vVZuJ10YlSAQN7epD8rTtRk5Qt7OuzH/ut X-Received: by 2002:a17:906:2f94:: with SMTP id w20mr2224299eji.14.1633676796131; Fri, 08 Oct 2021 00:06:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633676796; cv=none; d=google.com; s=arc-20160816; b=LS01cRf8Sv1DjxA6fxQ6t0KZtzMUhW68V20ZpWv0aoaN5Zwtiwrw80lpOFgqIg3GP0 PgoBm9zdVD/16TalIaf487zM/9KL203K5Q/AMmUozD3TGSHImUjjXgd+ZBwyvgUhj0It HFeW4SRrRpvFc+TqDr+6UHkHS1KiPEVmEY6sbnmZKQKTQ+bvWBN2a0ywxq6iBilicFwv xK1UnW6GmSxL/c/qg/YoLfTZxMI01ZbH46PdlL3mTclhVGIs6CNRt9zt7raSxG4/uOPp KmJ88o+c3QhKAUS6r8pgtUUhY8l6/2aRyPug/euFKGOS5Ow7INlaZ3kl2mgpAdrF3Wyz PRCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=dEdWtr2OmNNdnqCDfofwDHnZBtMCXtDRF4zDsuPwdUY=; b=qqOP0BrHcHwRxAv97GHJ5qqRDIhwdhl3pfukOzFmUUBgjymDh3TMwXrbznX0hEiR6A 6zclhZvSajf1EQheUVHlhyIuD5lGgkfXlamzldLl9ucJRMYx6CE9NImhDJL4QgXtxMIH 3sgElSxhL92kZiRs+ueWV9Azzv1eddb4i4TZTXigEzg8KBj/K561lZZTOnasVWwaVxOc U6aPT3UJhvEXxxZ7tsSv6gnVlfJ5iKIlRigAcCJKBO/70eK9SgGE3WcmDTkzc+jK1zXi vp8QkKqXKf2SgMHo7u7IbAbzgsQA471mW2+PBdKs7T+h97DIXG5wqnBwxji0g9M1qLZd 7X+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u15si2524442edt.211.2021.10.08.00.06.12; Fri, 08 Oct 2021 00:06:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229830AbhJHHEa (ORCPT + 99 others); Fri, 8 Oct 2021 03:04:30 -0400 Received: from mout.kundenserver.de ([212.227.126.133]:38899 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229490AbhJHHE1 (ORCPT ); Fri, 8 Oct 2021 03:04:27 -0400 Received: from mail-wr1-f48.google.com ([209.85.221.48]) by mrelayeu.kundenserver.de (mreue010 [213.165.67.97]) with ESMTPSA (Nemesis) id 1Mv3Ds-1mq8IA3ljs-00r2Py; Fri, 08 Oct 2021 09:02:30 +0200 Received: by mail-wr1-f48.google.com with SMTP id t2so26509411wrb.8; Fri, 08 Oct 2021 00:02:30 -0700 (PDT) X-Gm-Message-State: AOAM5339ETJ42LZs6PD5RXIIla3JjpJDPqYfM20sjsZnsCtTKxPMJhpE k/uqSVhX5QIj+CnoQxMUefkTwkCi2zWPVcio0kI= X-Received: by 2002:adf:ab46:: with SMTP id r6mr1846830wrc.71.1633676550526; Fri, 08 Oct 2021 00:02:30 -0700 (PDT) MIME-Version: 1.0 References: <20211008065830.305057-1-butterflyhuangxx@gmail.com> In-Reply-To: <20211008065830.305057-1-butterflyhuangxx@gmail.com> From: Arnd Bergmann Date: Fri, 8 Oct 2021 09:02:14 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] isdn: cpai: check ctr->cnr to avoid array index out of bound To: Xiaolong Huang Cc: Karsten Keil , David Miller , Arnd Bergmann , Networking , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:O4SpnvId+WiElrx6ZPayE+YW0q/jCN8F+kBopqsnKMYL+KQprke hFHSlmSzSlFQIB8O9/ZlracNVjHNLPEH4/spiEJijH8rI3qJ9i0Ae8BHaLDoXb6zFXgliXh ajftn9l5bDR/hs/kSGHce8+CKY6FRQh/KdEj9LRt6o5+UfC6B0bWnVn+mITDh+L1+/Thmjn ET9Fw92YYBtb9Wpzo8DhQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:JmEQNOjTfA8=:wE19sg8+/3SafTs9404BmO WiQQlVnwhblOptOuQHGE/ZewDc9JLa9N4Iwe2zRwMe5m0v4ftfAHclORq2EwCHxV140wO477G K54NVk8McY8K11LKN2IEn3dTrRK/8pcPvgdJXK0ZtYaUV0aPGl3OGPRp2/Dc6bPmDzu31K71l yyaxn2m1DrxwgVaEr99tdVWBkK0cLegRlcEE5UU+whWdw1OT5wt6VXNBGB/MrHPeftsVDpJTc m3FkY6D21bN5VdSX03wjJEgbgJ81ewatSAH7Qmde74oXL7cW4MRObDst/8zrJVwBG+vF8pFG4 rzd6dUa/P0MfHHVr5WrIlNFXutGA+VXLdgoFUMMK0XPW7iXYcZiy5pjoSQjqRQzpprjD1okK6 k7DvIwf/CjGSDMmr7deOBLLGgDLOIOfQesRxedVR1ncZWACKpBRchSSf3jc2mrC3bUEwqycjF AlSsAcLWmx19lz9HuqAvc6NZqxxQtYBKQvOH/jgN6JcxuJ1iTonKrHKhUEIa00tuXp758UniT 3Qxgjiz+2jPzp21NF7l684QHS9CQ5XCw3I5x9N7GtvH2eT2aVdXEj4SrMCUv2i5OMB45AxkaW 9onMu/itLoW3+42dmhTcDlsr7IT7rePFAdli3nLhJ+uR2XLjyL3Xaw/FYPm+/f8pW/czV/2i0 5TVD3DMHCDomPBMtoL5axB53Xo7egQx0C9hdS6ZHdY9/rOPtEsqrXIxi5ldEDAs7HrLX6BvnF gtRvVcag6dMyI3xCmI3K3q7vFlso8b+HQioaRA== Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 8, 2021 at 8:58 AM Xiaolong Huang wrote: > > The cmtp_add_connection() would add a cmtp session to a controller > and run a kernel thread to process cmtp. > > __module_get(THIS_MODULE); > session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", > session->num); > > During this process, the kernel thread would call detach_capi_ctr() > to detach a register controller. if the controller > was not attached yet, detach_capi_ctr() would > trigger an array-index-out-bounds bug. > > [ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in > drivers/isdn/capi/kcapi.c:483:21 > [ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' > [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted > 5.15.0-rc2+ #8 > [ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS 1.14.0-2 04/01/2014 > [ 46.870107][ T6479] Call Trace: > [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d > [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 > [ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 > [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 > [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 > [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 > [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 > [ 46.874256][ T6479] kthread+0x147/0x170 > [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 > [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 > [ 46.875773][ T6479] > > Signed-off-by: Xiaolong Huang Acked-by: Arnd Bergmann