diff options
author | David S. Miller <davem@davemloft.net> | 2008-08-17 20:34:14 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-08-20 11:05:11 -0700 |
commit | f8bb164b647b559370fdf0bb7941f8b2631ebaea (patch) | |
tree | 6c306856c3145b1c59feff5456d1203e856ff065 /arch | |
parent | c8579c82a2404274193ac75fe27d68bf112b908c (diff) |
sparc64: Fix end-of-stack checking in save_stack_trace().
[ Upstream commit 433c5f706856689be25928a99636e724fb3ea7cf ]
Bug reported by Alexander Beregalov.
Before we dereference the stack frame or try to peek at the
pt_regs magic value, make sure the entire object is within
the kernel stack bounds.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/sparc64/kernel/stacktrace.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/arch/sparc64/kernel/stacktrace.c b/arch/sparc64/kernel/stacktrace.c index c73ce3f4197e..c5576e856b13 100644 --- a/arch/sparc64/kernel/stacktrace.c +++ b/arch/sparc64/kernel/stacktrace.c @@ -25,13 +25,15 @@ void save_stack_trace(struct stack_trace *trace) /* Bogus frame pointer? */ if (fp < (thread_base + sizeof(struct thread_info)) || - fp >= (thread_base + THREAD_SIZE)) + fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf))) break; sf = (struct sparc_stackf *) fp; regs = (struct pt_regs *) (sf + 1); - if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) { + if (((unsigned long)regs <= + (thread_base + THREAD_SIZE - sizeof(*regs))) && + (regs->magic & ~0x1ff) == PT_REGS_MAGIC) { if (!(regs->tstate & TSTATE_PRIV)) break; pc = regs->tpc; |