| From cebbert@redhat.com Thu Oct 16 16:09:02 2008 |
| From: David Rientjes <rientjes@google.com> |
| Date: Mon, 13 Oct 2008 19:42:12 -0400 |
| Subject: x86: avoid dereferencing beyond stack + THREAD_SIZE |
| To: stable@kernel.org |
| Cc: Ingo Molnar <mingo@elte.hu> |
| Message-ID: <20081013194212.6c49544a@redhat.com> |
| |
| |
| From: David Rientjes <rientjes@google.com> |
| |
| commit 60e6258cd43f9b06884f04f0f7cefb9c40f17a32 upstream |
| |
| It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE |
| while iterating through instruction pointers if fp equals the upper boundary, |
| causing a kernel panic. |
| |
| Signed-off-by: David Rientjes <rientjes@google.com> |
| Signed-off-by: Ingo Molnar <mingo@elte.hu> |
| Cc: Chuck Ebbert <cebbert@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| arch/x86/kernel/process_64.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kernel/process_64.c |
| +++ b/arch/x86/kernel/process_64.c |
| @@ -740,12 +740,12 @@ unsigned long get_wchan(struct task_stru |
| if (!p || p == current || p->state==TASK_RUNNING) |
| return 0; |
| stack = (unsigned long)task_stack_page(p); |
| - if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE) |
| + if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE) |
| return 0; |
| fp = *(u64 *)(p->thread.sp); |
| do { |
| if (fp < (unsigned long)stack || |
| - fp > (unsigned long)stack+THREAD_SIZE) |
| + fp >= (unsigned long)stack+THREAD_SIZE) |
| return 0; |
| ip = *(u64 *)(fp+8); |
| if (!in_sched_functions(ip)) |
