[PATCH 02/10] module: fix out-of-range memory access

From: Tejun Heo
Date: Wed Feb 18 2009 - 07:05:56 EST


Impact: subtle memory access bug fix

percpu_modalloc() may access pcpu_size[-1]. The access won't change
the value by itself but it still is read/write access and dangerous.
Fix it.

Signed-off-by: Tejun Heo <tj@xxxxxxxxxx>
---
kernel/module.c | 14 ++++++++------
1 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index ba22484..d54a63e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -426,12 +426,14 @@ static void *percpu_modalloc(unsigned long size, unsigned long align,
continue;

/* Transfer extra to previous block. */
- if (pcpu_size[i-1] < 0)
- pcpu_size[i-1] -= extra;
- else
- pcpu_size[i-1] += extra;
- pcpu_size[i] -= extra;
- ptr += extra;
+ if (extra) {
+ if (pcpu_size[i-1] < 0)
+ pcpu_size[i-1] -= extra;
+ else
+ pcpu_size[i-1] += extra;
+ pcpu_size[i] -= extra;
+ ptr += extra;
+ }

/* Split block if warranted */
if (pcpu_size[i] - size > sizeof(unsigned long))
--
1.6.0.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/