releases/2.6.26.3/0001-sparc64-Fix-end-of-stack-checking-in-save_stack_tra.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From f2c77753e729813bfc9df9c82c54598c830ea32a Mon Sep 17 00:00:00 2001
 From: David S. Miller <davem@davemloft.net>
 Date: Sun, 17 Aug 2008 20:34:14 -0700
 Subject: sparc64: Fix end-of-stack checking in save_stack_trace().
 Message-Id: <20080817.212911.193702300.davem@davemloft.net>

 From: David S. Miller <davem@davemloft.net>

 [ Upstream commit 433c5f706856689be25928a99636e724fb3ea7cf ]

 Bug reported by Alexander Beregalov.

 Before we dereference the stack frame or try to peek at the
 pt_regs magic value, make sure the entire object is within
 the kernel stack bounds.

 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  arch/sparc64/kernel/stacktrace.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 --- a/arch/sparc64/kernel/stacktrace.c
 +++ b/arch/sparc64/kernel/stacktrace.c
 @@ -25,13 +25,15 @@ void save_stack_trace(struct stack_trace

  		/* Bogus frame pointer? */
  		if (fp < (thread_base + sizeof(struct thread_info)) ||
 -		    fp >= (thread_base + THREAD_SIZE))
 +		    fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
  			break;

  		sf = (struct sparc_stackf *) fp;
  		regs = (struct pt_regs *) (sf + 1);

 -		if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
 +		if (((unsigned long)regs <=
 +		     (thread_base + THREAD_SIZE - sizeof(*regs))) &&
 +		    (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
  			if (!(regs->tstate & TSTATE_PRIV))
  				break;
  			pc = regs->tpc;
	From f2c77753e729813bfc9df9c82c54598c830ea32a Mon Sep 17 00:00:00 2001
	From: David S. Miller <davem@davemloft.net>
	Date: Sun, 17 Aug 2008 20:34:14 -0700
	Subject: sparc64: Fix end-of-stack checking in save_stack_trace().
	Message-Id: <20080817.212911.193702300.davem@davemloft.net>

	From: David S. Miller <davem@davemloft.net>

	[ Upstream commit 433c5f706856689be25928a99636e724fb3ea7cf ]

	Bug reported by Alexander Beregalov.

	Before we dereference the stack frame or try to peek at the
	pt_regs magic value, make sure the entire object is within
	the kernel stack bounds.

	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	arch/sparc64/kernel/stacktrace.c \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	--- a/arch/sparc64/kernel/stacktrace.c
	+++ b/arch/sparc64/kernel/stacktrace.c
	@@ -25,13 +25,15 @@ void save_stack_trace(struct stack_trace

	/* Bogus frame pointer? */
	if (fp < (thread_base + sizeof(struct thread_info)) \|\|
	- fp >= (thread_base + THREAD_SIZE))
	+ fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
	break;

	sf = (struct sparc_stackf *) fp;
	regs = (struct pt_regs *) (sf + 1);

	- if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
	+ if (((unsigned long)regs <=
	+ (thread_base + THREAD_SIZE - sizeof(*regs))) &&
	+ (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
	if (!(regs->tstate & TSTATE_PRIV))
	break;
	pc = regs->tpc;