sparc64: Fix end-of-stack checking in save_stack_trace().

[ Upstream commit 433c5f706856689be25928a99636e724fb3ea7cf ] Bug reported by Alexander Beregalov. Before we dereference the stack frame or try to peek at the pt_regs magic value, make sure the entire object is within the kernel stack bounds. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: David S. Miller <davem@davemloft.net> 2008-08-17 20:34:14 -0700
committer: Greg Kroah-Hartman <gregkh@suse.de> 2008-08-20 11:05:11 -0700
commit: f8bb164b647b559370fdf0bb7941f8b2631ebaea (patch)
tree: 6c306856c3145b1c59feff5456d1203e856ff065 /arch
parent: c8579c82a2404274193ac75fe27d68bf112b908c (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/arch/sparc64/kernel/stacktrace.c b/arch/sparc64/kernel/stacktrace.c
index c73ce3f4197e..c5576e856b13 100644
--- a/arch/sparc64/kernel/stacktrace.c
+++ b/arch/sparc64/kernel/stacktrace.c
@@ -25,13 +25,15 @@ void save_stack_trace(struct stack_trace *trace)
 
 		/* Bogus frame pointer? */
 		if (fp < (thread_base + sizeof(struct thread_info)) ||
-		    fp >= (thread_base + THREAD_SIZE))
+		    fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
 			break;
 
 		sf = (struct sparc_stackf *) fp;
 		regs = (struct pt_regs *) (sf + 1);
 
-		if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
+		if (((unsigned long)regs <=
+		     (thread_base + THREAD_SIZE - sizeof(*regs))) &&
+		    (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
 			if (!(regs->tstate & TSTATE_PRIV))
 				break;
 			pc = regs->tpc;
author	David S. Miller <davem@davemloft.net>	2008-08-17 20:34:14 -0700
committer	Greg Kroah-Hartman <gregkh@suse.de>	2008-08-20 11:05:11 -0700
commit	f8bb164b647b559370fdf0bb7941f8b2631ebaea (patch)
tree	6c306856c3145b1c59feff5456d1203e856ff065 /arch
parent	c8579c82a2404274193ac75fe27d68bf112b908c (diff)