On 10/26/17 5:15 PM, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
>
> There's an off by one error in the bag_remove code such that we end up
> copying memory from beyond the end of the array into the array. Not a
> serious problem since we have counters to prevent us from reading that
> garbage, but AddressSanitizer complained so let's fix it.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Reviewed-by: Eric Sandeen <sandeen@xxxxxxxxxx>
> ---
> repair/slab.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
> diff --git a/repair/slab.c b/repair/slab.c
> index 8609270..d47448a 100644
> --- a/repair/slab.c
> +++ b/repair/slab.c
> @@ -469,7 +469,7 @@ bag_remove(
> {
> ASSERT(nr < bag->bg_inuse);
> memmove(&bag->bg_ptrs[nr], &bag->bg_ptrs[nr + 1],
> - (bag->bg_inuse - nr) * sizeof(void *));
> + (bag->bg_inuse - nr - 1) * sizeof(void *));
> bag->bg_inuse--;
> return 0;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
