Commit 433c5f70 authored by David S. Miller's avatar David S. Miller

sparc64: Fix end-of-stack checking in save_stack_trace().

Bug reported by Alexander Beregalov.

Before we dereference the stack frame or try to peek at the
pt_regs magic value, make sure the entire object is within
the kernel stack bounds.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 764f2579
...@@ -26,13 +26,15 @@ void save_stack_trace(struct stack_trace *trace) ...@@ -26,13 +26,15 @@ void save_stack_trace(struct stack_trace *trace)
/* Bogus frame pointer? */ /* Bogus frame pointer? */
if (fp < (thread_base + sizeof(struct thread_info)) || if (fp < (thread_base + sizeof(struct thread_info)) ||
fp >= (thread_base + THREAD_SIZE)) fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
break; break;
sf = (struct sparc_stackf *) fp; sf = (struct sparc_stackf *) fp;
regs = (struct pt_regs *) (sf + 1); regs = (struct pt_regs *) (sf + 1);
if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) { if (((unsigned long)regs <=
(thread_base + THREAD_SIZE - sizeof(*regs))) &&
(regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
if (!(regs->tstate & TSTATE_PRIV)) if (!(regs->tstate & TSTATE_PRIV))
break; break;
pc = regs->tpc; pc = regs->tpc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment