[PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling.

From: John Sanpe
Date: Sat Jul 23 2022 - 04:00:15 EST

Next message: Takashi Iwai: "Re: [PATCH 3/4] exfat: Expand exfat_err() and co directly to pr_*() macro"
Previous message: Bagas Sanjaya: "[PATCH] MAINTAINERS: remove outdated patch submission guidelines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This problem occurs when malloc element failed on the first time.
At this time, the counter i is 0. When it's released, we subtract 1
in advance without checking, which will cause i to become UINT_MAX,
resulting in array overflow.

Signed-off-by: John Sanpe <sanpeqf@xxxxxxxxx>
---
lib/lru_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/lru_cache.c b/lib/lru_cache.c
index 52313acbfa62..04d95de92602 100644
--- a/lib/lru_cache.c
+++ b/lib/lru_cache.c
@@ -147,7 +147,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
return lc;

/* else: could not allocate all elements, give up */
- for (i--; i; i--) {
+ while (i--) {
void *p = element[i];
kmem_cache_free(cache, p - e_off);
}
--
2.36.1

Next message: Takashi Iwai: "Re: [PATCH 3/4] exfat: Expand exfat_err() and co directly to pr_*() macro"
Previous message: Bagas Sanjaya: "[PATCH] MAINTAINERS: remove outdated patch submission guidelines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]