lib/list_sort: do not pass bad pointers to cmp callback - openslx/kernel-qcow2-linux.git

diff options

author	Don Mullis	2010-10-01 00:15:32 +0200
committer	Linus Torvalds	2010-10-01 19:50:58 +0200
commit	f015ac3edd84ad72f88e08a4d83c56c360aae404 (patch)
tree	87f88c4e502d69752776dd36451d0ece5416f9f1 /CREDITS
parent	sys_semctl: fix kernel stack leakage (diff)
download	kernel-qcow2-linux-f015ac3edd84ad72f88e08a4d83c56c360aae404.tar.gz kernel-qcow2-linux-f015ac3edd84ad72f88e08a4d83c56c360aae404.tar.xz kernel-qcow2-linux-f015ac3edd84ad72f88e08a4d83c56c360aae404.zip

lib/list_sort: do not pass bad pointers to cmp callback

If the original list is a POT in length, the first callback from line 73 will pass a==b both pointing to the original list_head. This is dangerous because the 'list_sort()' user can use 'container_of()' and accesses the "containing" object, which does not necessary exist for the list head. So the user can access RAM which does not belong to him. If this is a write access, we can end up with memory corruption. Signed-off-by: Don Mullis <don.mullis@gmail.com> Tested-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'CREDITS')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: