From: Oleg Nesterov
arch_check_bp_in_kernelspace() tries to avoid the overflow and does 2
TASK_SIZE checks but it needs OR, not AND. Consider va = TASK_SIZE -1
and len = 2 case.
Note: TASK_SIZE doesn't look right at least on x86, I think it should
be replaced by TASK_SIZE_MAX.
Signed-off-by: Ol
On Sun, Nov 24, 2013 at 11:32:49AM +0100, Frederic Weisbecker wrote:
> From: Oleg Nesterov
>
> arch_check_bp_in_kernelspace() tries to avoid the overflow and does 2
> TASK_SIZE checks but it needs OR, not AND. Consider va = TASK_SIZE -1
> and len = 2 case.
>
> Note: TASK_SIZE doesn't look right
Frederic. Thanks for doing this ;)
On 11/24, Borislav Petkov wrote:
>
> On Sun, Nov 24, 2013 at 11:32:49AM +0100, Frederic Weisbecker wrote:
> >
> > - return (va >= TASK_SIZE) && ((va + len - 1) >= TASK_SIZE);
> > + return (va >= TASK_SIZE) || ((va + len - 1) >= TASK_SIZE);
>
> Well, can't you
On Mon, Nov 25, 2013 at 08:50:28PM +0100, Oleg Nesterov wrote:
> This won't work if va + len overflows?
Oh, right,
> Perhaps we should makes this clear, and we can even check the overflow
> in the generic code (iirc Linus suggested to do this).
maybe something like
((va + len - 1) >= TA
On 11/25, Borislav Petkov wrote:
>
> On Mon, Nov 25, 2013 at 08:50:28PM +0100, Oleg Nesterov wrote:
> > This won't work if va + len overflows?
>
> Oh, right,
>
> > Perhaps we should makes this clear, and we can even check the overflow
> > in the generic code (iirc Linus suggested to do this).
>
> m
