summaryrefslogtreecommitdiff
path: root/arch/sparc64/kernel
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2008-08-07 23:04:37 -0700
committerDavid S. Miller <davem@davemloft.net>2008-08-07 23:04:37 -0700
commit433c5f706856689be25928a99636e724fb3ea7cf (patch)
tree4a76f75ebec4adf1140a6f7930ce701b11d42d98 /arch/sparc64/kernel
parent764f2579d95120e1c76b7af1256d02466ddd00bf (diff)
downloadlwn-433c5f706856689be25928a99636e724fb3ea7cf.tar.gz
lwn-433c5f706856689be25928a99636e724fb3ea7cf.zip
sparc64: Fix end-of-stack checking in save_stack_trace().
Bug reported by Alexander Beregalov. Before we dereference the stack frame or try to peek at the pt_regs magic value, make sure the entire object is within the kernel stack bounds. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch/sparc64/kernel')
-rw-r--r--arch/sparc64/kernel/stacktrace.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/arch/sparc64/kernel/stacktrace.c b/arch/sparc64/kernel/stacktrace.c
index b3e3737750d8..e9d7f0660f2e 100644
--- a/arch/sparc64/kernel/stacktrace.c
+++ b/arch/sparc64/kernel/stacktrace.c
@@ -26,13 +26,15 @@ void save_stack_trace(struct stack_trace *trace)
/* Bogus frame pointer? */
if (fp < (thread_base + sizeof(struct thread_info)) ||
- fp >= (thread_base + THREAD_SIZE))
+ fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
break;
sf = (struct sparc_stackf *) fp;
regs = (struct pt_regs *) (sf + 1);
- if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
+ if (((unsigned long)regs <=
+ (thread_base + THREAD_SIZE - sizeof(*regs))) &&
+ (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
if (!(regs->tstate & TSTATE_PRIV))
break;
pc = regs->tpc;