| From foo@baz Fri Jan 4 20:27:35 CET 2019 |
| From: Cong Wang <xiyou.wangcong@gmail.com> |
| Date: Sun, 30 Dec 2018 12:43:42 -0800 |
| Subject: ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() |
| |
| From: Cong Wang <xiyou.wangcong@gmail.com> |
| |
| [ Upstream commit aff6db454599d62191aabc208930e891748e4322 ] |
| |
| __ptr_ring_swap_queue() tries to move pointers from the old |
| ring to the new one, but it forgets to check if ->producer |
| is beyond the new size at the end of the operation. This leads |
| to an out-of-bound access in __ptr_ring_produce() as reported |
| by syzbot. |
| |
| Reported-by: syzbot+8993c0fa96d57c399735@syzkaller.appspotmail.com |
| Fixes: 5d49de532002 ("ptr_ring: resize support") |
| Cc: "Michael S. Tsirkin" <mst@redhat.com> |
| Cc: John Fastabend <john.fastabend@gmail.com> |
| Cc: Jason Wang <jasowang@redhat.com> |
| Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> |
| Acked-by: Michael S. Tsirkin <mst@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| include/linux/ptr_ring.h | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/include/linux/ptr_ring.h |
| +++ b/include/linux/ptr_ring.h |
| @@ -384,6 +384,8 @@ static inline void **__ptr_ring_swap_que |
| else if (destroy) |
| destroy(ptr); |
| |
| + if (producer >= size) |
| + producer = 0; |
| r->size = size; |
| r->producer = producer; |
| r->consumer = 0; |