On Thu 30-05-19 00:39:53, Dianzhang Chen wrote:
> It's come from `192+1`.
>
>
> The more code fragment is:
>
>
> if (size <= 192) {
>
> if (!size)
>
> return ZERO_SIZE_PTR;
>
> size = array_index_nospec(size, 193);
>
> index = size_index[size_index_elem(size)];
>
> }
OK I see, I could have looked into the code, my bad. But I am still not
sure what is the potential exploit scenario and why this particular path
a needs special treatment while other size branches are ok. Could you be
more specific please?
--
Michal Hocko
SUSE Labs
