Message ID | 20150813202747.GA6478@mwanda |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On 08/13/2015 10:27 PM, Dan Carpenter wrote: > The loop iterates one space too far, so we might read beyond the end of > the func_limit[] array. > > Fixes: 35578d798400 ('bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks for the fix, Dan! There's however already one queued up here: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=140d8b335a9beb234fd0ed9a15aa6a47f47fd771 > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 48e1c71..ed12e38 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -853,7 +853,7 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id) > if (!map) > return 0; > > - for (i = 0; i <= ARRAY_SIZE(func_limit); i++) { > + for (i = 0; i < ARRAY_SIZE(func_limit); i++) { > bool_map = (map->map_type == func_limit[i].map_type); > bool_func = (func_id == func_limit[i].func_id); > /* only when map & func pair match it can continue. > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 48e1c71..ed12e38 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -853,7 +853,7 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id) if (!map) return 0; - for (i = 0; i <= ARRAY_SIZE(func_limit); i++) { + for (i = 0; i < ARRAY_SIZE(func_limit); i++) { bool_map = (map->map_type == func_limit[i].map_type); bool_func = (func_id == func_limit[i].func_id); /* only when map & func pair match it can continue.
The loop iterates one space too far, so we might read beyond the end of the func_limit[] array. Fixes: 35578d798400 ('bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html