sparc64: Fix end-of-stack checking in save_stack_trace().

Bug reported by Alexander Beregalov. Before we dereference the stack frame or try to peek at the pt_regs magic value, make sure the entire object is within the kernel stack bounds. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2008-08-08 02:04:37 -0400
committer: David S. Miller <davem@davemloft.net> 2008-08-08 02:04:37 -0400
commit: 433c5f706856689be25928a99636e724fb3ea7cf (patch)
tree: 4a76f75ebec4adf1140a6f7930ce701b11d42d98
parent: 764f2579d95120e1c76b7af1256d02466ddd00bf (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/arch/sparc64/kernel/stacktrace.c b/arch/sparc64/kernel/stacktrace.c
index b3e3737750d8..e9d7f0660f2e 100644
--- a/arch/sparc64/kernel/stacktrace.c
+++ b/arch/sparc64/kernel/stacktrace.c
@@ -26,13 +26,15 @@ void save_stack_trace(struct stack_trace *trace)
                /* Bogus frame pointer? */
                if (fp < (thread_base + sizeof(struct thread_info)) ||
-                    fp >= (thread_base + THREAD_SIZE))
+                    fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
                        break;
                sf = (struct sparc_stackf *) fp;
                regs = (struct pt_regs *) (sf + 1);
-                if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
+                if (((unsigned long)regs <=
+                     (thread_base + THREAD_SIZE - sizeof(*regs))) &&
+                    (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
                        if (!(regs->tstate & TSTATE_PRIV))
                                break;
                        pc = regs->tpc;
author	David S. Miller <davem@davemloft.net>	2008-08-08 02:04:37 -0400
committer	David S. Miller <davem@davemloft.net>	2008-08-08 02:04:37 -0400
commit	433c5f706856689be25928a99636e724fb3ea7cf (patch)
tree	4a76f75ebec4adf1140a6f7930ce701b11d42d98
parent	764f2579d95120e1c76b7af1256d02466ddd00bf (diff)