[PATCH] maple_tree: Fix out of bounds access on mas_wr_node_walk()

From: Liam Howlett
Date: Tue Jul 12 2022 - 22:13:35 EST

Next message: Yang Yingliang: "Re: [PATCH -next 2/2] spi: microchip-core: switch to use devm_spi_alloc_master()"
Previous message: Miaohe Lin: "Re: [PATCH] mm/hugetlb: avoid corrupting page->mapping in hugetlb_mcopy_atomic_pte"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When walking the node, check to see if offset is within the range of
pivots before reading that pivot, otherwise return the max of the node.

Reported-by: Yu Zhao <yuzhao@xxxxxxxxxx>
Fixes: d0aac5e48048 (Maple Tree: add new data structure)
Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
---
lib/maple_tree.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 14e9ab14c1da..768707770926 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -2254,10 +2254,10 @@ static inline void mas_wr_node_walk(struct ma_wr_state *wr_mas)
wr_mas->pivots, mas->max);
offset = mas->offset;
min = mas_safe_min(mas, wr_mas->pivots, offset);
- max = wr_mas->pivots[offset];
if (unlikely(offset == count))
- goto max; /* may have been set to zero */
+ goto max;

+ max = wr_mas->pivots[offset];
index = mas->index;
if (unlikely(index <= max))
goto done;
--
2.35.1

Next message: Yang Yingliang: "Re: [PATCH -next 2/2] spi: microchip-core: switch to use devm_spi_alloc_master()"
Previous message: Miaohe Lin: "Re: [PATCH] mm/hugetlb: avoid corrupting page->mapping in hugetlb_mcopy_atomic_pte"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]