| From cebbert@redhat.com Tue Nov 4 14:28:40 2008 |
| From: David Rientjes <rientjes@google.com> |
| Date: Sun, 26 Oct 2008 18:13:59 -0400 |
| Subject: x86: avoid dereferencing beyond stack + THREAD_SIZE |
| To: stable@kernel.org |
| Cc: Ingo Molnar <mingo@elte.hu> |
| Message-ID: <20081026181359.246d413d@redhat.com> |
| |
| |
| From: David Rientjes <rientjes@google.com> |
| |
| commit e1e23bb0513520035ec934fa3483507cb6648b7c upstream |
| |
| x86: avoid dereferencing beyond stack + THREAD_SIZE |
| |
| It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE |
| while iterating through instruction pointers if fp equals the upper boundary, |
| causing a kernel panic. |
| |
| Signed-off-by: David Rientjes <rientjes@google.com> |
| Signed-off-by: Ingo Molnar <mingo@elte.hu> |
| Cc: Chuck Ebbert <cebbert@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| arch/x86/kernel/process_64.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kernel/process_64.c |
| +++ b/arch/x86/kernel/process_64.c |
| @@ -729,12 +729,12 @@ unsigned long get_wchan(struct task_stru |
| if (!p || p == current || p->state==TASK_RUNNING) |
| return 0; |
| stack = (unsigned long)task_stack_page(p); |
| - if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE) |
| + if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE) |
| return 0; |
| fp = *(u64 *)(p->thread.sp); |
| do { |
| if (fp < (unsigned long)stack || |
| - fp > (unsigned long)stack+THREAD_SIZE) |
| + fp >= (unsigned long)stack+THREAD_SIZE) |
| return 0; |
| ip = *(u64 *)(fp+8); |
| if (!in_sched_functions(ip)) |
