From patchwork Tue Apr 7 03:10:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 11477405 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4487D14B4 for ; Tue, 7 Apr 2020 03:10:19 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 12E4B206B8 for ; Tue, 7 Apr 2020 03:10:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="XQM0yJLX" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 12E4B206B8 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 1049D8E007B; Mon, 6 Apr 2020 23:10:18 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 0B5918E0062; Mon, 6 Apr 2020 23:10:18 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F0C5C8E007B; Mon, 6 Apr 2020 23:10:17 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0126.hostedemail.com [216.40.44.126]) by kanga.kvack.org (Postfix) with ESMTP id D72318E0062 for ; Mon, 6 Apr 2020 23:10:17 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 9BAD3A8CA for ; Tue, 7 Apr 2020 03:10:17 +0000 (UTC) X-FDA: 76679580474.20.sea32_28827c36083b X-Spam-Summary: 2,0,0,f9f2e339ae2cc0e2,d41d8cd98f00b204,akpm@linux-foundation.org,,RULES_HIT:41:355:379:800:960:967:973:988:989:1260:1263:1345:1359:1381:1431:1437:1534:1542:1711:1730:1747:1777:1792:2393:2525:2553:2559:2564:2682:2685:2693:2859:2902:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:3872:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4321:4605:5007:6119:6261:6653:6737:7514:7576:8599:8603:9025:9121:9545:10004:10913:11026:11233:11473:11658:11914:12043:12048:12296:12297:12517:12519:12555:12679:12696:12737:12783:12986:13255:13846:14181:14721:14849:21080:21451:21611:21627:21939:21990:30054:30064:30070:30080:30090,0,RBL:198.145.29.99:@linux-foundation.org:.lbl8.mailshell.net-64.100.201.201 62.2.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:1,LUA_SUMMARY:none X-HE-Tag: sea32_28827c36083b X-Filterd-Recvd-Size: 3858 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf36.hostedemail.com (Postfix) with ESMTP for ; Tue, 7 Apr 2020 03:10:17 +0000 (UTC) Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2F4BC2072F; Tue, 7 Apr 2020 03:10:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586229016; bh=yOyVzwJ0kTRH40X2wjK6PSLRVfrbPvolWihozgUNWdA=; h=Date:From:To:Subject:In-Reply-To:From; b=XQM0yJLXSZcxIbaml7y+/m2uZC8yZNQfOaORnxLmtrphdJGLBI2rZRQQr5mXTT/Ac A69AXizU/5ghhfvMV7pbxtOlPJYw+1hEsLvJxTyGeNgKr0FMOqNj40WCyitNXZWUek FiLNvdzILbCxDmEnCI2Sc7UgOPh1G/KraWB+gp5A= Date: Mon, 06 Apr 2020 20:10:15 -0700 From: Andrew Morton To: akpm@linux-foundation.org, andreyknvl@google.com, arnd@arndb.de, aryabinin@virtuozzo.com, dan.carpenter@oracle.com, dvyukov@google.com, elver@google.com, glider@google.com, linux-mm@kvack.org, mm-commits@vger.kernel.org, sergey.senozhatsky@gmail.com, torvalds@linux-foundation.org, vegard.nossum@oracle.com Subject: [patch 117/166] lib/stackdepot.c: check depot_index before accessing the stack slab Message-ID: <20200407031015.xHHCl9ozQ%akpm@linux-foundation.org> In-Reply-To: <20200406200254.a69ebd9e08c4074e41ddebaf@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Alexander Potapenko Subject: lib/stackdepot.c: check depot_index before accessing the stack slab Avoid crashes on corrupted stack ids. Despite stack ID corruption may indicate other bugs in the program, we'd better fail gracefully on such IDs instead of crashing the kernel. This patch has been previously mailed as part of KMSAN RFC patch series. Link: http://lkml.kernel.org/r/20200220141916.55455-1-glider@google.com Signed-off-by: Alexander Potapenko Cc: Vegard Nossum Cc: Dmitry Vyukov Cc: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Arnd Bergmann Cc: Sergey Senozhatsky From: Dan Carpenter Subject: lib/stackdepot.c: fix a condition in stack_depot_fetch() We should check for a NULL pointer first before adding the offset. Otherwise if the pointer is NULL and the offset is non-zero, it will lead to an Oops. Link: http://lkml.kernel.org/r/20200312113006.GA20562@mwanda Fixes: d45048e65a59 ("lib/stackdepot.c: check depot_index before accessing the stack slab") Signed-off-by: Dan Carpenter Acked-by: Alexander Potapenko Signed-off-by: Andrew Morton --- lib/stackdepot.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/lib/stackdepot.c~stackdepot-check-depot_index-before-accessing-the-stack-slab +++ a/lib/stackdepot.c @@ -202,9 +202,20 @@ unsigned int stack_depot_fetch(depot_sta unsigned long **entries) { union handle_parts parts = { .handle = handle }; - void *slab = stack_slabs[parts.slabindex]; + void *slab; size_t offset = parts.offset << STACK_ALLOC_ALIGN; - struct stack_record *stack = slab + offset; + struct stack_record *stack; + + *entries = NULL; + if (parts.slabindex > depot_index) { + WARN(1, "slab index %d out of bounds (%d) for stack id %08x\n", + parts.slabindex, depot_index, handle); + return 0; + } + slab = stack_slabs[parts.slabindex]; + if (!slab) + return 0; + stack = slab + offset; *entries = stack->entries; return stack->size;