From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C206C77B75 for ; Sat, 6 May 2023 01:48:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 59345900003; Fri, 5 May 2023 21:48:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5414F900002; Fri, 5 May 2023 21:48:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4300B900003; Fri, 5 May 2023 21:48:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) by kanga.kvack.org (Postfix) with ESMTP id 18278900002 for ; Fri, 5 May 2023 21:48:26 -0400 (EDT) Received: by mail-pg1-f196.google.com with SMTP id 41be03b00d2f7-51b603bb360so2159858a12.2 for ; Fri, 05 May 2023 18:48:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683337705; x=1685929705; h=content-transfer-encoding:in-reply-to:from:references:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=SqIkgJf+LItUVuyr4G8d5Rjrbw8WsFdr0mCkPQUW1y8=; b=HyBWIOuBxrghu8QGTFyka7rvAfl5rGtcjtY6v8s/bm5sNtnkOsxW0JvnNr+y15RRdn NP2qtm2HdOq94SYYkZIAufPg4mMk2wPvkHO0uIwzu8on0tU0H4HzxSinvtGrjVBecKwh 3wL/38ZWiYH3eAtV9Q/6Agw+8olF8rYmbIiyqq+tNWQRPQJXM0LdgNryFcsyPKo2JO6R 79kAeG69cmfWgIIPC3VG9vYehKsASMFDfKrtIMr14pAgUF2o2CQH/zENOn4lka32q8XN cIPFTy9CvNtd6bjq5F9PzJX/q+fxnjucmOKQaX2hlDByim9WPvYDh3t3hmQWxAhhd4mP AJGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683337705; x=1685929705; h=content-transfer-encoding:in-reply-to:from:references:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SqIkgJf+LItUVuyr4G8d5Rjrbw8WsFdr0mCkPQUW1y8=; b=VQx08Pp3YFC3JOTkGO6y2wye3ldF5XmRJ8M+jX4A9D/hjm9hJC29vfw3zXYWio6GUA kDwQpv6Ew4/CarlsWO1OaKMSRLdxUDHjxHqxLXViSkDH+YbUwAQYphAzQ5ZqmQaXcwDW ZjG/etYO7AwZcWdzro9EZvMlIGnNY+ViKDJCcufUMvLJNBWjgPRyCzNrUpOcFeXrwsMz Zg3mGxyA0REEJ4eGg/+9MgqumC3SSHppzEVHRXb5wxtcY8JrRvS8JXUhieWMNT/L3lY+ 8mowyaxwDOA7qUMPc6duQcM1wlNlPVX3vFolzsLIOMxVGb3hAYikA4y47RbC6+jPRBwZ lmkQ== X-Gm-Message-State: AC+VfDyEV3Vax+9fiFV8bfvPF9JhoMy0gWfylkaKy4KZcAaJ4PkILRru dz10Z6HIFmpWkQ/IB5pezac= X-Google-Smtp-Source: ACHHUZ5i5dtUZYcJMpTkCfn7HjyuXOSiaDosQ6ye1CxFKlbe4RWaI1Q+/9cIq9fKkeas1grYuJmgYg== X-Received: by 2002:a17:90a:b390:b0:250:4644:d3fa with SMTP id e16-20020a17090ab39000b002504644d3famr1330209pjr.34.1683337705267; Fri, 05 May 2023 18:48:25 -0700 (PDT) Received: from [10.200.10.82] ([139.177.225.232]) by smtp.gmail.com with ESMTPSA id l5-20020a17090a408500b0024c1ac09394sm5725311pjg.19.2023.05.05.18.48.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 May 2023 18:48:24 -0700 (PDT) Message-ID: <1570feed-489c-82f7-8d6b-9f53e9ebb87e@gmail.com> Date: Sat, 6 May 2023 09:48:19 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Subject: Re: [PATCH] maple_tree: Fix potential out-of-bounds access in mas_wr_end_piv() To: "Liam R. Howlett" , akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, maple-tree@lists.infradead.org, Peng Zhang References: <20230504031422.47506-1-zhangpeng.00@bytedance.com> <20230506011447.2e47mf5kwwo4yz4r@revolver> From: Peng Zhang In-Reply-To: <20230506011447.2e47mf5kwwo4yz4r@revolver> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: 在 2023/5/6 09:14, Liam R. Howlett 写道: > * Peng Zhang [230503 23:14]: >> Access to the pivots array may be out of bounds. Fix it by changing the >> code to ensure that the index of the pivots does not go out of bounds. >> It is difficult to assess user-visible impact. > > This is indeed an issue. There isn't any user-visible impact for > current node types, since the overflow will access the slots and be > corrected in the next if clause, but it's certainly better to fix this. > > The commit message is also not as descriptive as necessary, perhaps > something like: > > Check the write offset end bounds before using it as the offset into the > pivot array. This avoids a possible out-of-bounds access on the pivot > array if the write extends to the last slot in the node, in which case > the node maximum should be used as the end pivot. > > Reviewed-by: Liam R. Howlett > >> >> Fixes: 54a611b60590 ("Maple Tree: add new data structure") > > Cc stable ? I don't know if it should be cc stable since Andrew says it always needs to describe user-visible impact. > >> Signed-off-by: Peng Zhang >> --- >> lib/maple_tree.c | 11 ++++++----- >> 1 file changed, 6 insertions(+), 5 deletions(-) >> >> diff --git a/lib/maple_tree.c b/lib/maple_tree.c >> index 110a36479dced..5a49327444d76 100644 >> --- a/lib/maple_tree.c >> +++ b/lib/maple_tree.c >> @@ -4263,11 +4263,13 @@ static inline bool mas_wr_slot_store(struct ma_wr_state *wr_mas) >> >> static inline void mas_wr_end_piv(struct ma_wr_state *wr_mas) >> { >> - while ((wr_mas->mas->last > wr_mas->end_piv) && >> - (wr_mas->offset_end < wr_mas->node_end)) >> - wr_mas->end_piv = wr_mas->pivots[++wr_mas->offset_end]; >> + while ((wr_mas->offset_end < wr_mas->node_end) && >> + (wr_mas->mas->last > wr_mas->pivots[wr_mas->offset_end])) >> + wr_mas->offset_end++; >> >> - if (wr_mas->mas->last > wr_mas->end_piv) >> + if (wr_mas->offset_end < wr_mas->node_end) >> + wr_mas->end_piv = wr_mas->pivots[wr_mas->offset_end]; >> + else >> wr_mas->end_piv = wr_mas->mas->max; >> } >> >> @@ -4424,7 +4426,6 @@ static inline void *mas_wr_store_entry(struct ma_wr_state *wr_mas) >> } >> >> /* At this point, we are at the leaf node that needs to be altered. */ >> - wr_mas->end_piv = wr_mas->r_max; >> mas_wr_end_piv(wr_mas); >> >> if (!wr_mas->entry) >> -- >> 2.20.1 >>