On Wed, 20 Feb 2013, Tejun Heo wrote:
> When idr_find() is fed a negative ID, it used to look up the ID
> ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
> move left MAX_IDR_* into idr.c") patch, and triggers WARN_ON_ONCE()
> after it.
>
> __lock_timer() feeds timer_id from userland directly to idr_find()
> without sanitizing it which can trigger the above malfunctions. Add a
> range check on @timer_id before invoking idr_find() in __lock_timer().
>
> While timer_t is defined as int by all archs at the moment, Andrew
> worries that it may be defined as a larger type later on. Make the
> test cover larger integers too so that it at least is guaranteed to
> not return the wrong timer.
Again. I totaly agree with that for stable, but I disagree that this
is the real fix.
idr_find() should simply return NULL, if "id < 0". Is it that hard?
Thanks,
tglx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
