Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

On Sat, Sep 28, 2013 at 09:51:14PM +0200, Wolfram Gloger wrote: > Kees Cook writes: > > > Please note that these bounds checks aren't correct to begin with. Since > > a pointer is being dereferenced, the end boundry must be reduced by > > sizeof(unsigned long) as well. > > > > It looks like proce

Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

Kees Cook writes: > Please note that these bounds checks aren't correct to begin with. Since > a pointer is being dereferenced, the end boundry must be reduced by > sizeof(unsigned long) as well. > > It looks like process_32.c suffers the same problems, too. I can't see the end boundary problem

Re: [PATCH] Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

On Fri, Sep 13, 2013 at 3:03 AM, Wolfram Gloger wrote: > "H. Peter Anvin" writes: > >> Actually, the sanest would be: >> >> if (fp < (unsigned long)stack || >> fp >= (unsigned long)stack+(THREAD_SIZE-16)) >> >> ... wouldn't it (since we are accessing an 8-byte datum at offset +8?

Re: [PATCH] Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

On Fri, Sep 13, 2013 at 3:03 AM, Wolfram Gloger wrote: > "H. Peter Anvin" writes: > >> Actually, the sanest would be: >> >> if (fp < (unsigned long)stack || >> fp >= (unsigned long)stack+(THREAD_SIZE-16)) >> >> ... wouldn't it (since we are accessing an 8-byte datum at offset +8?

Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

On Wed, Sep 11, 2013 at 10:16:32PM +0400, Dmitry Vyukov wrote: > On Wed, Sep 11, 2013 at 2:06 AM, Andi Kleen wrote: > >> Indeed, get_wchan ensures that fp >> fp+8: > >> > >> 434 if (fp < (unsigned long)stack || > >> 435 fp >= (unsigned long)stack+THREAD_SIZE) >

Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

On Wed, Sep 11, 2013 at 2:06 AM, Andi Kleen wrote: >> Indeed, get_wchan ensures that fp> fp+8: >> >> 434 if (fp < (unsigned long)stack || >> 435 fp >= (unsigned long)stack+THREAD_SIZE) >> 436 return 0; >> 437 ip = *(u64 *)

Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

> Indeed, get_wchan ensures that fp fp+8: > > 434 if (fp < (unsigned long)stack || > 435 fp >= (unsigned long)stack+THREAD_SIZE) > 436 return 0; > 437 ip = *(u64 *)(fp+8); > > It must check that fp+8 As far as I see, the

Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c)

Hi, We are working on a memory error detector AddressSanitizer for Linux kernel (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel), it can detect use-after-free and buffer-overflow errors. Here is a new report from the tool: [ 124.575597] ERROR: AddressSanitizer: heap