On Wed, Sep 11, 2013 at 10:16:32PM +0400, Dmitry Vyukov wrote: > On Wed, Sep 11, 2013 at 2:06 AM, Andi Kleen <a...@linux.intel.com> wrote: > >> Indeed, get_wchan ensures that fp<stack+THREAD_SIZE, but then dereferences > >> fp+8: > >> > >> 434 if (fp < (unsigned long)stack || > >> 435 fp >= (unsigned long)stack+THREAD_SIZE) > >> 436 return 0; > >> 437 ip = *(u64 *)(fp+8); > >> > >> It must check that fp+8<stack+THREAD_SIZE. > >> As far as I see, the bug can lead to garbage return values or in the > >> worst case to crash. > > > > Thanks for the report. > > > > The change looks good to me. Can you please submit a formal signed off patch > > to x...@kernel.org ?
Can you CC this to lkml as well? x86@ isn't a public list, IIUC. Please note that these bounds checks aren't correct to begin with. Since a pointer is being dereferenced, the end boundry must be reduced by sizeof(unsigned long) as well. It looks like process_32.c suffers the same problems, too. -Kees -- Kees Cook @outflux.net -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/