The patch titled
lib/list_sort: do not pass bad pointers to cmp callback
has been added to the -mm tree. Its filename is
lib-list_sort-do-not-pass-bad-pointers-to-cmp-callback.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: lib/list_sort: do not pass bad pointers to cmp callback
From: Don Mullis <don.mullis@xxxxxxxxx>
If the original list is a POT in length, the first callback from line 73
will pass a==b both pointing to the original list_head. This is dangerous
because the 'list_sort()' user can use 'container_of()' and accesses the
"containing" object, which does not necessary exist for the list head. So
the user can access RAM which does not belong to him. If this is a write
access, we can end up with memory corruption. This patch fixes the issue.
Signed-off-by: Don Mullis <don.mullis@xxxxxxxxx>
Tested-by: Artem Bityutskiy <Artem.Bityutskiy@xxxxxxxxx>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@xxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
lib/list_sort.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN lib/list_sort.c~lib-list_sort-do-not-pass-bad-pointers-to-cmp-callback lib/list_sort.c
--- a/lib/list_sort.c~lib-list_sort-do-not-pass-bad-pointers-to-cmp-callback
+++ a/lib/list_sort.c
@@ -70,7 +70,7 @@ static void merge_and_restore_back_links
* element comparison is needed, so the client's cmp()
* routine can invoke cond_resched() periodically.
*/
- (*cmp)(priv, tail, tail);
+ (*cmp)(priv, tail->next, tail->next);
tail->next->prev = tail;
tail = tail->next;
_
Patches currently in -mm which might be from don.mullis@xxxxxxxxx are
linux-next.patch
lib-list_sort-do-not-pass-bad-pointers-to-cmp-callback.patch
lib-kconfigdebug-add-list_sort-debugging-switch.patch
lib-list_sort-test-use-more-reasonable-printk-levels.patch
lib-list_sort-test-use-generic-random32.patch
lib-list_sort-test-improve-errors-handling.patch
lib-list_sort-test-unify-test-messages.patch
lib-list_sort-test-check-element-addresses.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
