Re: [PATCH] fix read past end of array in md/linear.c
From: Neil Brown
Date: Sun Mar 11 2007 - 19:07:39 EST
On Thursday March 8, adi@xxxxxxxxxxxxx wrote:
> On Thu, Mar 08, 2007 at 12:52:04PM -0800, Andy Isaacson wrote:
> > Index: linus/drivers/md/linear.c
> > ===================================================================
> > --- linus.orig/drivers/md/linear.c 2007-03-02 11:35:55.000000000 -0800
> > +++ linus/drivers/md/linear.c 2007-03-07 13:10:30.000000000 -0800
> > @@ -188,7 +188,7 @@
> > for (i=0; i < cnt-1 ; i++) {
> > sector_t sz = 0;
> > int j;
> > - for (j=i; i<cnt-1 && sz < min_spacing ; j++)
> > + for (j=i; j<cnt-1 && sz < min_spacing ; j++)
> > sz += conf->disks[j].size;
> > if (sz >= min_spacing && sz < conf->hash_spacing)
> > conf->hash_spacing = sz;
>
> Forgot to add:
>
> Signed-off-by: Andrew Isaacson <adi@xxxxxxxxxxxxx>
And
Acked-by: NeilBrown <neilb@xxxxxxx>
Thanks!
I would have replied earlier but I wanted to make sure I understood
exactly what the possible consequences of this bug were.. and they are
quite benign.
The worst possible outcome is going so far off the end of the array
that you hit un-mapped memory and Oops.
If that doesn't happen, then the next worst option is that the hash
table is sized poorly and you spend a few more cycles than needed
choosing the target device for the request (we still always choose the
right device).
Thanks,
NeilBrown
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/