| Message ID | 1468210651-4199-1-git-send-email-sjitindarsingh@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On 11/07/16 14:17, Suraj Jitindar Singh wrote: > The array crash_shutdown_handles[] has size CRASH_HANDLER_MAX, thus when > we loop over the elements of the list we check crash_shutdown_handles[i] > && i < CRASH_HANDLER_MAX. However this means that when we increment i to > CRASH_HANDLER_MAX we will perform an out of bound array access checking > the first condition before exiting on the second condition. > > To avoid the out of bounds access, simply reorder the loop conditions. > > Fixes Coverity bug #128232 > > Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com> Fixes: 1d1451655bad ("powerpc: Add array bounds checking to crash_shutdown_handlers") Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
On Mon, 2016-11-07 at 04:17:31 UTC, Suraj Jitindar Singh wrote: > The array crash_shutdown_handles[] has size CRASH_HANDLER_MAX, thus when > we loop over the elements of the list we check crash_shutdown_handles[i] > && i < CRASH_HANDLER_MAX. However this means that when we increment i to > CRASH_HANDLER_MAX we will perform an out of bound array access checking > the first condition before exiting on the second condition. > > To avoid the out of bounds access, simply reorder the loop conditions. > > Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com> > Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/a7d6392866e9777cb287ad194c cheers
diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c index 888bdf1..47b63de 100644 --- a/arch/powerpc/kernel/crash.c +++ b/arch/powerpc/kernel/crash.c @@ -351,7 +351,7 @@ void default_machine_crash_shutdown(struct pt_regs *regs) old_handler = __debugger_fault_handler; __debugger_fault_handler = handle_fault; crash_shutdown_cpu = smp_processor_id(); - for (i = 0; crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX; i++) { + for (i = 0; i < CRASH_HANDLER_MAX && crash_shutdown_handles[i]; i++) { if (setjmp(crash_shutdown_buf) == 0) { /* * Insert syncs and delay to ensure
The array crash_shutdown_handles[] has size CRASH_HANDLER_MAX, thus when we loop over the elements of the list we check crash_shutdown_handles[i] && i < CRASH_HANDLER_MAX. However this means that when we increment i to CRASH_HANDLER_MAX we will perform an out of bound array access checking the first condition before exiting on the second condition. To avoid the out of bounds access, simply reorder the loop conditions. Fixes Coverity bug #128232 Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com> --- arch/powerpc/kernel/crash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)