mm: Add conditions to avoid out-of-bounds

Message ID	20180604103735.42781-1-nixiaoming@huawei.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <owner-linux-mm@kvack.org> Received-SPF: pass (google.com: domain of nixiaoming@huawei.com designates 45.249.212.35 as permitted sender) client-ip=45.249.212.35; From: nixiaoming <nixiaoming@huawei.com> To: <akpm@linux-foundation.org>, <vdavydov.dev@gmail.com>, <hannes@cmpxchg.org>, <garsilva@embeddedor.com>, <ktkhai@virtuozzo.com>, <stummala@codeaurora.org> CC: <nixiaoming@huawei.com>, <linux-kernel@vger.kernel.org>, <linux-mm@kvack.org> Subject: [PATCH] mm: Add conditions to avoid out-of-bounds Date: Mon, 4 Jun 2018 18:37:35 +0800 Message-ID: <20180604103735.42781-1-nixiaoming@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Sender: owner-linux-mm@kvack.org Precedence: bulk

Message ID

20180604103735.42781-1-nixiaoming@huawei.com (mailing list archive)

State

New, archived

Headers

Received-SPF: pass (google.com: domain of nixiaoming@huawei.com designates
	45.249.212.35 as permitted sender) client-ip=45.249.212.35; 
From: nixiaoming <nixiaoming@huawei.com>
To: <akpm@linux-foundation.org>, <vdavydov.dev@gmail.com>,
	<hannes@cmpxchg.org>, <garsilva@embeddedor.com>, <ktkhai@virtuozzo.com>, 
	<stummala@codeaurora.org>
CC: <nixiaoming@huawei.com>, <linux-kernel@vger.kernel.org>,
	<linux-mm@kvack.org>
Subject: [PATCH] mm: Add conditions to avoid out-of-bounds
Date: Mon, 4 Jun 2018 18:37:35 +0800
Message-ID: <20180604103735.42781-1-nixiaoming@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Commit Message

Xiaoming Ni June 4, 2018, 10:37 a.m. UTC

In the function memcg_init_list_lru
if call goto fail when i == 0, will cause out-of-bounds at lru->node[i]

The same out-of-bounds access scenario exists in the functions
memcg_update_list_lru and __memcg_init_list_lru_node

Signed-off-by: nixiaoming <nixiaoming@huawei.com>
---
 mm/list_lru.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Michal Hocko June 4, 2018, 11:20 a.m. UTC | #1

On Mon 04-06-18 18:37:35, nixiaoming wrote:
> In the function memcg_init_list_lru
> if call goto fail when i == 0, will cause out-of-bounds at lru->node[i]

How? All I can see is that the fail path does
	for (i = i - 1; i >= 0; i--)

so it will not do anything for i=0.

Xiaoming Ni June 4, 2018, 11:27 a.m. UTC | #2

I'm very sorry. It was my mistake. 
it won't cross the border here.

Thanks 


-----Original Message-----
From: Michal Hocko [mailto:mhocko@kernel.org] 
Sent: Monday, June 04, 2018 7:20 PM
To: Nixiaoming <nixiaoming@huawei.com>
Cc: akpm@linux-foundation.org; vdavydov.dev@gmail.com; hannes@cmpxchg.org; garsilva@embeddedor.com; ktkhai@virtuozzo.com; stummala@codeaurora.org; linux-kernel@vger.kernel.org; linux-mm@kvack.org
Subject: Re: [PATCH] mm: Add conditions to avoid out-of-bounds

On Mon 04-06-18 18:37:35, nixiaoming wrote:
> In the function memcg_init_list_lru
> if call goto fail when i == 0, will cause out-of-bounds at lru->node[i]

How? All I can see is that the fail path does
	for (i = i - 1; i >= 0; i--)

so it will not do anything for i=0.

diff --git a/mm/list_lru.c b/mm/list_lru.c
index fcfb6c8..ec6bdd9 100644
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -298,6 +298,9 @@  static void __memcg_destroy_list_lru_node(struct list_lru_memcg *memcg_lrus,
 {
 	int i;
 
+	if (unlikely(begin >= end))
+		return;
+
 	for (i = begin; i < end; i++)
 		kfree(memcg_lrus->lru[i]);
 }
@@ -422,6 +425,8 @@  static int memcg_init_list_lru(struct list_lru *lru, bool memcg_aware)
 	}
 	return 0;
 fail:
+	if (unlikely(i == 0))
+		return -ENOMEM;
 	for (i = i - 1; i >= 0; i--) {
 		if (!lru->node[i].memcg_lrus)
 			continue;
@@ -456,6 +461,8 @@  static int memcg_update_list_lru(struct list_lru *lru,
 	}
 	return 0;
 fail:
+	if (unlikely(i == 0))
+		return -ENOMEM;
 	for (i = i - 1; i >= 0; i--) {
 		if (!lru->node[i].memcg_lrus)
 			continue;

mm: Add conditions to avoid out-of-bounds

Commit Message

Comments

Patch