| From: Liam Howlett <liam.howlett@oracle.com> |
| Subject: maple_tree: fix out of bounds access on mas_wr_node_walk() |
| Date: Wed, 13 Jul 2022 02:13:12 +0000 |
| |
| When walking the node, check to see if offset is within the range of |
| pivots before reading that pivot, otherwise return the max of the node. |
| |
| Link: https://lkml.kernel.org/r/20220713021256.542856-1-Liam.Howlett@oracle.com |
| Fixes: d0aac5e48048 (Maple Tree: add new data structure) |
| Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com> |
| Reported-by: Yu Zhao <yuzhao@google.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| lib/maple_tree.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/lib/maple_tree.c~maple-tree-add-new-data-structure-fix-4 |
| +++ a/lib/maple_tree.c |
| @@ -2254,10 +2254,10 @@ static inline void mas_wr_node_walk(stru |
| wr_mas->pivots, mas->max); |
| offset = mas->offset; |
| min = mas_safe_min(mas, wr_mas->pivots, offset); |
| - max = wr_mas->pivots[offset]; |
| if (unlikely(offset == count)) |
| - goto max; /* may have been set to zero */ |
| + goto max; |
| |
| + max = wr_mas->pivots[offset]; |
| index = mas->index; |
| if (unlikely(index <= max)) |
| goto done; |
| _ |
