On 11/09/2015 01:56 AM, Mathias Krause wrote: > >> Can you point to the code that does node_states[pci_dev->numa_node] without >> doing a bounds check? IMO that's the code that is broken. > > It's the node_state() inline for MAX_NUMNODES > 1. In drivers/pci/pci-sysfs.c: numa_node_store() if (node >= MAX_NUMNODES || !node_online(node)) needs to be broken out into a range and separate online check. /* range check */ if (node < NUMA_NO_NODE || node >= MAX_NUMNODES) return -EINVAL; /* Is the specific node online? */ if (node != NUMA_NO_NODE && !node_online(node)) return -EINVAL; /* perhaps -ENODEV ? */ which will fix the problem. P. > >> >> FWIW: I think the idea of your patch is still correct. Checking for -1 to >> MAX_NUMNODES is not a bad idea. > > It is. As it prevents userland from triggering the out of bounds read. ;) > > > Thanks, > Mathias > -- > To unsubscribe from this list: send the line "unsubscribe linux-pci" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
