From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC3BAC2D0DB for ; Fri, 24 Jan 2020 14:18:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9DB64222C2 for ; Fri, 24 Jan 2020 14:18:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579875527; bh=7EUQP8HwpY6+rfh1K7GoRHWZxuvTbWqNTYnVX5w5dhY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=VnVoBuAPqaNo4Hpl0sDhDG5W8w5KW/zH9dYpVWkXF4KFfd6huw+6k+Z8urcupyB9S NyyNYnChUjbJhzys/TzUHI5EFRxGTBnMBpY7oIijVCTCzaS+m3Y+L/tTcw6oNLFPwg T/gIxA31L9vLjXteCWRPNOSh7QkEiKRhY9LVikZM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391078AbgAXOSr (ORCPT ); Fri, 24 Jan 2020 09:18:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:38366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403748AbgAXOSm (ORCPT ); Fri, 24 Jan 2020 09:18:42 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4463024658; Fri, 24 Jan 2020 14:18:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579875521; bh=7EUQP8HwpY6+rfh1K7GoRHWZxuvTbWqNTYnVX5w5dhY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zH8BGA2B/SwBZ7+0cLBHuEKKl9oV9/gtsW6S2EQnvMxphVlCFXo5x9G2cjK9NmfBX R80zfca+H4jn7utjvgPgwNZg1j5qm5jhARIXpOy2JwzC78HL7Z4ExW/H0XLg/wU+Md XwW1EIIIyB883MKBpdVv6rpcKl4ma2wzgwvBIfrk= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Waiman Long , Peter Zijlstra , Bart Van Assche , Linus Torvalds , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH AUTOSEL 5.4 020/107] locking/lockdep: Fix buffer overrun problem in stack_trace[] Date: Fri, 24 Jan 2020 09:16:50 -0500 Message-Id: <20200124141817.28793-20-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200124141817.28793-1-sashal@kernel.org> References: <20200124141817.28793-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Waiman Long [ Upstream commit d91f3057263ceb691ef527e71b41a56b17f6c869 ] If the lockdep code is really running out of the stack_trace entries, it is likely that buffer overrun can happen and the data immediately after stack_trace[] will be corrupted. If there is less than LOCK_TRACE_SIZE_IN_LONGS entries left before the call to save_trace(), the max_entries computation will leave it with a very large positive number because of its unsigned nature. The subsequent call to stack_trace_save() will then corrupt the data after stack_trace[]. Fix that by changing max_entries to a signed integer and check for negative value before calling stack_trace_save(). Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Bart Van Assche Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 12593b7467f9 ("locking/lockdep: Reduce space occupied by stack traces") Link: https://lkml.kernel.org/r/20191220135128.14876-1-longman@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin --- kernel/locking/lockdep.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c index 233459c03b5ae..35d3b6925b1ee 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -482,7 +482,7 @@ static struct lock_trace *save_trace(void) struct lock_trace *trace, *t2; struct hlist_head *hash_head; u32 hash; - unsigned int max_entries; + int max_entries; BUILD_BUG_ON_NOT_POWER_OF_2(STACK_TRACE_HASH_SIZE); BUILD_BUG_ON(LOCK_TRACE_SIZE_IN_LONGS >= MAX_STACK_TRACE_ENTRIES); @@ -490,10 +490,8 @@ static struct lock_trace *save_trace(void) trace = (struct lock_trace *)(stack_trace + nr_stack_trace_entries); max_entries = MAX_STACK_TRACE_ENTRIES - nr_stack_trace_entries - LOCK_TRACE_SIZE_IN_LONGS; - trace->nr_entries = stack_trace_save(trace->entries, max_entries, 3); - if (nr_stack_trace_entries >= MAX_STACK_TRACE_ENTRIES - - LOCK_TRACE_SIZE_IN_LONGS - 1) { + if (max_entries <= 0) { if (!debug_locks_off_graph_unlock()) return NULL; @@ -502,6 +500,7 @@ static struct lock_trace *save_trace(void) return NULL; } + trace->nr_entries = stack_trace_save(trace->entries, max_entries, 3); hash = jhash(trace->entries, trace->nr_entries * sizeof(trace->entries[0]), 0); -- 2.20.1