Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels

From: Adrien Schildknecht
Date: Fri Aug 14 2015 - 03:04:28 EST

Next message: NeilBrown: "[PATCH stable] md/bitmap: return an error when bitmap superblock is corrupt."
Previous message: Pavel Machek: "Re: [PATCH] PM-wakeup: Delete unnecessary checks before two function calls"
In reply to: Grumbach, Emmanuel: "Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels"
Next in thread: Kalle Valo: "Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> On 08/14/2015 03:36 AM, Adrien Schildknecht wrote:
> > Both loops of this function compare data from the 'chan' array and
> > then check if the index is valid.
> >
> > The 2 conditions should be inverted to avoid an out-of-bounds
> > access.
> >
>
> Was that found by a static analyzer or any other automated tool, or
> was that the result of your very careful review?

The error has been reported by KASan:
==================================================================
BUG: KASan: out of bounds access in iwl_init_sband_channels+0x207/0x260 [iwlwifi] at addr ffff8800c2d0aac8
Read of size 4 by task modprobe/329
==================================================================

--
Adrien Schildknecht
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: NeilBrown: "[PATCH stable] md/bitmap: return an error when bitmap superblock is corrupt."
Previous message: Pavel Machek: "Re: [PATCH] PM-wakeup: Delete unnecessary checks before two function calls"
In reply to: Grumbach, Emmanuel: "Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels"
Next in thread: Kalle Valo: "Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]