diff options
author | David S. Miller <davem@davemloft.net> | 2008-08-08 02:04:37 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-08-08 02:04:37 -0400 |
commit | 433c5f706856689be25928a99636e724fb3ea7cf (patch) | |
tree | 4a76f75ebec4adf1140a6f7930ce701b11d42d98 /arch/sparc64 | |
parent | 764f2579d95120e1c76b7af1256d02466ddd00bf (diff) |
sparc64: Fix end-of-stack checking in save_stack_trace().
Bug reported by Alexander Beregalov.
Before we dereference the stack frame or try to peek at the
pt_regs magic value, make sure the entire object is within
the kernel stack bounds.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch/sparc64')
-rw-r--r-- | arch/sparc64/kernel/stacktrace.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/arch/sparc64/kernel/stacktrace.c b/arch/sparc64/kernel/stacktrace.c index b3e3737750d..e9d7f0660f2 100644 --- a/arch/sparc64/kernel/stacktrace.c +++ b/arch/sparc64/kernel/stacktrace.c | |||
@@ -26,13 +26,15 @@ void save_stack_trace(struct stack_trace *trace) | |||
26 | 26 | ||
27 | /* Bogus frame pointer? */ | 27 | /* Bogus frame pointer? */ |
28 | if (fp < (thread_base + sizeof(struct thread_info)) || | 28 | if (fp < (thread_base + sizeof(struct thread_info)) || |
29 | fp >= (thread_base + THREAD_SIZE)) | 29 | fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf))) |
30 | break; | 30 | break; |
31 | 31 | ||
32 | sf = (struct sparc_stackf *) fp; | 32 | sf = (struct sparc_stackf *) fp; |
33 | regs = (struct pt_regs *) (sf + 1); | 33 | regs = (struct pt_regs *) (sf + 1); |
34 | 34 | ||
35 | if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) { | 35 | if (((unsigned long)regs <= |
36 | (thread_base + THREAD_SIZE - sizeof(*regs))) && | ||
37 | (regs->magic & ~0x1ff) == PT_REGS_MAGIC) { | ||
36 | if (!(regs->tstate & TSTATE_PRIV)) | 38 | if (!(regs->tstate & TSTATE_PRIV)) |
37 | break; | 39 | break; |
38 | pc = regs->tpc; | 40 | pc = regs->tpc; |