aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorAndrey Ryabinin <a.ryabinin@samsung.com>2014-08-08 17:22:07 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-08-08 18:57:24 -0400
commit93b7aca35dd7bf0c3ba7ea0542b556bcfdb28e76 (patch)
treed7f8872fd8e21b4ad301bda4de482ef41014c480 /lib
parent0692dedcf64bf3cdcfb9f6a51c70d49c8db351d2 (diff)
lib/idr.c: fix out-of-bounds pointer dereference
I'm working on address sanitizer project for kernel. Recently we started experiments with stack instrumentation, to detect out-of-bounds read/write bugs on stack. Just after booting I've hit out-of-bounds read on stack in idr_for_each (and in __idr_remove_all as well): struct idr_layer **paa = &pa[0]; while (id >= 0 && id <= max) { ... while (n < fls(id)) { n += IDR_BITS; p = *--paa; <--- here we are reading pa[-1] value. } } Despite the fact that after this dereference we are exiting out of loop and never use p, such behaviour is undefined and should be avoided. Fix this by moving pointer derference to the beggining of the loop, right before we will use it. Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> Reviewed-by: Lai Jiangshan <laijs@cn.fujitsu.com> Cc: Tejun Heo <tj@kernel.org> Cc: Alexey Preobrazhensky <preobr@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Konstantin Khlebnikov <koct9i@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'lib')
-rw-r--r--lib/idr.c25
1 files changed, 14 insertions, 11 deletions
diff --git a/lib/idr.c b/lib/idr.c
index 39158abebad1..50be3fa9b657 100644
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -590,26 +590,27 @@ static void __idr_remove_all(struct idr *idp)
590 struct idr_layer **paa = &pa[0]; 590 struct idr_layer **paa = &pa[0];
591 591
592 n = idp->layers * IDR_BITS; 592 n = idp->layers * IDR_BITS;
593 p = idp->top; 593 *paa = idp->top;
594 RCU_INIT_POINTER(idp->top, NULL); 594 RCU_INIT_POINTER(idp->top, NULL);
595 max = idr_max(idp->layers); 595 max = idr_max(idp->layers);
596 596
597 id = 0; 597 id = 0;
598 while (id >= 0 && id <= max) { 598 while (id >= 0 && id <= max) {
599 p = *paa;
599 while (n > IDR_BITS && p) { 600 while (n > IDR_BITS && p) {
600 n -= IDR_BITS; 601 n -= IDR_BITS;
601 *paa++ = p;
602 p = p->ary[(id >> n) & IDR_MASK]; 602 p = p->ary[(id >> n) & IDR_MASK];
603 *++paa = p;
603 } 604 }
604 605
605 bt_mask = id; 606 bt_mask = id;
606 id += 1 << n; 607 id += 1 << n;
607 /* Get the highest bit that the above add changed from 0->1. */ 608 /* Get the highest bit that the above add changed from 0->1. */
608 while (n < fls(id ^ bt_mask)) { 609 while (n < fls(id ^ bt_mask)) {
609 if (p) 610 if (*paa)
610 free_layer(idp, p); 611 free_layer(idp, *paa);
611 n += IDR_BITS; 612 n += IDR_BITS;
612 p = *--paa; 613 --paa;
613 } 614 }
614 } 615 }
615 idp->layers = 0; 616 idp->layers = 0;
@@ -692,15 +693,16 @@ int idr_for_each(struct idr *idp,
692 struct idr_layer **paa = &pa[0]; 693 struct idr_layer **paa = &pa[0];
693 694
694 n = idp->layers * IDR_BITS; 695 n = idp->layers * IDR_BITS;
695 p = rcu_dereference_raw(idp->top); 696 *paa = rcu_dereference_raw(idp->top);
696 max = idr_max(idp->layers); 697 max = idr_max(idp->layers);
697 698
698 id = 0; 699 id = 0;
699 while (id >= 0 && id <= max) { 700 while (id >= 0 && id <= max) {
701 p = *paa;
700 while (n > 0 && p) { 702 while (n > 0 && p) {
701 n -= IDR_BITS; 703 n -= IDR_BITS;
702 *paa++ = p;
703 p = rcu_dereference_raw(p->ary[(id >> n) & IDR_MASK]); 704 p = rcu_dereference_raw(p->ary[(id >> n) & IDR_MASK]);
705 *++paa = p;
704 } 706 }
705 707
706 if (p) { 708 if (p) {
@@ -712,7 +714,7 @@ int idr_for_each(struct idr *idp,
712 id += 1 << n; 714 id += 1 << n;
713 while (n < fls(id)) { 715 while (n < fls(id)) {
714 n += IDR_BITS; 716 n += IDR_BITS;
715 p = *--paa; 717 --paa;
716 } 718 }
717 } 719 }
718 720
@@ -740,17 +742,18 @@ void *idr_get_next(struct idr *idp, int *nextidp)
740 int n, max; 742 int n, max;
741 743
742 /* find first ent */ 744 /* find first ent */
743 p = rcu_dereference_raw(idp->top); 745 p = *paa = rcu_dereference_raw(idp->top);
744 if (!p) 746 if (!p)
745 return NULL; 747 return NULL;
746 n = (p->layer + 1) * IDR_BITS; 748 n = (p->layer + 1) * IDR_BITS;
747 max = idr_max(p->layer + 1); 749 max = idr_max(p->layer + 1);
748 750
749 while (id >= 0 && id <= max) { 751 while (id >= 0 && id <= max) {
752 p = *paa;
750 while (n > 0 && p) { 753 while (n > 0 && p) {
751 n -= IDR_BITS; 754 n -= IDR_BITS;
752 *paa++ = p;
753 p = rcu_dereference_raw(p->ary[(id >> n) & IDR_MASK]); 755 p = rcu_dereference_raw(p->ary[(id >> n) & IDR_MASK]);
756 *++paa = p;
754 } 757 }
755 758
756 if (p) { 759 if (p) {
@@ -768,7 +771,7 @@ void *idr_get_next(struct idr *idp, int *nextidp)
768 id = round_up(id + 1, 1 << n); 771 id = round_up(id + 1, 1 << n);
769 while (n < fls(id)) { 772 while (n < fls(id)) {
770 n += IDR_BITS; 773 n += IDR_BITS;
771 p = *--paa; 774 --paa;
772 } 775 }
773 } 776 }
774 return NULL; 777 return NULL;