linux/lib
David Howells ea6789980f assoc_array: Fix a buggy node-splitting case
This fixes CVE-2017-12193.

Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.

What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.

The code that tries to do this gets this wrong in two ways:

 (1) The pointer that should've pointed from N0 to N1 is set to point
     recursively to N0 instead.

 (2) The backpointer from N0 needs to be set correctly in the case N0 is
     either the root node or reached through a shortcut.

Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).

The problem manifests itself as:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: assoc_array_apply_edit+0x59/0xe5

Fixes: 3cb989501c ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: stable@vger.kernel.org [v3.13-rc1+]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-28 10:31:07 -07:00
..
842
fonts
lz4 lib/lz4: make arrays static const, reduces object code size 2017-10-03 17:54:25 -07:00
lzo
mpi Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-08-22 14:53:32 +08:00
raid6 Merge tag 'md/4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-09-07 12:41:48 -07:00
reed_solomon
xz
zlib_deflate
zlib_inflate lib/zlib_inflate/inftrees.c: fix potential buffer overflow 2017-05-08 17:15:12 -07:00
zstd lib: Add zstd modules 2017-08-15 09:02:08 -07:00
.gitignore
argv_split.c
asn1_decoder.c
assoc_array.c assoc_array: Fix a buggy node-splitting case 2017-10-28 10:31:07 -07:00
atomic64.c
atomic64_test.c lib/atomic64_test.c: add a test that atomic64_inc_not_zero() returns an int 2017-07-14 15:05:13 -07:00
audit.c
bcd.c
bch.c
bitmap.c lib/bitmap.c: make bitmap_parselist() thread-safe and much faster 2017-09-08 18:26:49 -07:00
bitrev.c
bsearch.c lib/bsearch.c: micro-optimize pivot position calculation 2017-07-10 16:32:35 -07:00
btree.c
bug.c
build_OID_registry
bust_spinlocks.c
chacha20.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c lib/cmdline.c: remove meaningless comment 2017-09-08 18:26:49 -07:00
compat_audit.c
cordic.c
cpu_rmap.c
cpumask.c cpumask: make cpumask_next() out-of-line 2017-09-08 18:26:51 -07:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc4.c lib: Add crc4 module 2017-06-09 11:52:07 +02:00
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
crc32test.c
ctype.c
debug_info.c
debug_locks.c
debugobjects.c debugobjects: Make kmemleak ignore debug objects 2017-08-14 16:51:01 +02:00
dec_and_lock.c
decompress.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
devres.c
digsig.c lib/digsig: fix dereference of NULL user_key_payload 2017-10-12 17:16:40 +01:00
div64.c
dma-debug.c dmaengine updates for 4.12-rc1 2017-05-09 15:40:28 -07:00
dma-noop.c dma: Take into account dma_pfn_offset 2017-06-28 06:55:01 -07:00
dma-virt.c dma-virt: remove dma_supported and mapping_error methods 2017-06-28 06:54:41 -07:00
dump_stack.c
dynamic_debug.c
dynamic_queue_limits.c
earlycpio.c
errseq.c errseq: rename __errseq_set to errseq_set 2017-07-26 12:24:36 -04:00
extable.c lib/extable.c: use bsearch() library function in search_extable() 2017-07-10 16:32:35 -07:00
fault-inject.c fault-inject: fix wrong should_fail() decision in task context 2017-08-10 15:54:06 -07:00
fdt.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c
flex_array.c
flex_proportions.c percpu_counter: Rename __percpu_counter_add to percpu_counter_add_batch 2017-06-20 15:42:32 -04:00
gcd.c
gen_crc32table.c
genalloc.c
glob.c
globtest.c
hexdump.c lib/hexdump.c: return -EINVAL in case of error in hex2bin() 2017-09-08 18:26:49 -07:00
hweight.c
idr.c lib/idr.c: fix comment for idr_replace() 2017-10-03 17:54:25 -07:00
inflate.c
int_sqrt.c
interval_tree.c
interval_tree_test.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
iomap.c
iomap_copy.c
iommu-common.c
iommu-helper.c
ioremap.c
iov_iter.c iov_iter: fix page_copy_sane for compound pages 2017-09-20 23:27:48 -04:00
irq_poll.c
irq_regs.c
is_single_threaded.c
jedec_ddr_data.c
kasprintf.c
Kconfig Merge branch 'zstd-minimal' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2017-09-14 17:30:49 -07:00
Kconfig.debug Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-10-14 15:14:20 -04:00
Kconfig.kasan
Kconfig.kgdb lib: update location of kgdb documentation 2017-05-16 08:44:22 -03:00
Kconfig.kmemcheck
Kconfig.ubsan
kfifo.c
klist.c
kobject.c
kobject_uevent.c driver core: suppress sending MODALIAS in UNBIND uevents 2017-09-18 16:48:33 +02:00
kstrtox.c lib/kstrtox.c: use "unsigned int" more 2017-07-10 16:32:34 -07:00
kstrtox.h
lcm.c
libcrc32c.c crypto: Work around deallocated stack frame reference gcc bug on sparc. 2017-06-08 17:36:03 +08:00
list_debug.c
list_sort.c lib: add module support to linked list sorting tests 2017-05-08 17:15:10 -07:00
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h locking/selftest: Add RT-mutex support 2017-06-08 10:35:50 +02:00
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c locking/selftest: Avoid false BUG report 2017-10-10 10:04:29 +02:00
lockref.c
lru_cache.c
Makefile Merge branch 'zstd-minimal' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2017-09-14 17:30:49 -07:00
memory-notifier-error-inject.c
memweight.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-09-03 17:08:42 -07:00
nmi_backtrace.c printk: Use the main logbuf in NMI when logbuf_lock is available 2017-05-19 14:42:19 +02:00
nodemask.c
notifier-error-inject.c
notifier-error-inject.h
of-reconfig-notifier-error-inject.c
oid_registry.c lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string 2017-09-08 18:26:49 -07:00
once.c
parman.c
parser.c
pci_iomap.c
percpu-refcount.c
percpu_counter.c writeback: rework wb_[dec|inc]_stat family of functions 2017-07-12 16:26:05 -07:00
percpu_ida.c
percpu_test.c
plist.c
pm-notifier-error-inject.c
prime_numbers.c
radix-tree.c radix-tree: must check __radix_tree_preload() return value 2017-09-08 18:26:49 -07:00
random32.c
ratelimit.c lib/ratelimit.c: use deferred printk() version 2017-10-03 17:54:26 -07:00
rational.c
rbtree.c rbtree: add some additional comments for rebalancing cases 2017-09-08 18:26:48 -07:00
rbtree_test.c lib/rbtree_test.c: support rb_root_cached 2017-09-08 18:26:48 -07:00
reciprocal_div.c
refcount.c locking/refcount: Create unchecked atomic_t implementation 2017-06-28 18:54:46 +02:00
rhashtable.c rhashtable: Documentation tweak 2017-09-19 15:18:33 -07:00
sbitmap.c
scatterlist.c scatterlist: add sg_zero_buffer() helper 2017-06-15 14:30:14 +02:00
seq_buf.c
sg_pool.c
sg_split.c
sha1.c
show_mem.c
siphash.c
smp_processor_id.c sched/core: Enable might_sleep() and smp_processor_id() checks early 2017-05-23 10:01:38 +02:00
sort.c
stackdepot.c
stmp_device.c
string.c lib/string.c: check for kmalloc() failure 2017-09-08 18:26:49 -07:00
string_helpers.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
strncpy_from_user.c
strnlen_user.c kill strlen_user() 2017-05-15 23:40:22 -04:00
swiotlb.c swiotlb: Add warnings for use of bounce buffers with SME 2017-07-18 11:38:03 +02:00
syscall.c
test-kstrtox.c
test-string_helpers.c
test_bitmap.c lib/test_bitmap.c: use ULL suffix for 64-bit constants 2017-09-13 18:53:15 -07:00
test_bpf.c bpf: add BPF_J{LT,LE,SLT,SLE} instructions 2017-08-09 16:53:56 -07:00
test_debug_virtual.c lib: add test module for CONFIG_DEBUG_VIRTUAL 2017-09-08 18:26:49 -07:00
test_firmware.c test_firmware: add batched firmware tests 2017-08-10 13:58:41 -07:00
test_hash.c
test_hexdump.c
test_kasan.c
test_kmod.c test_kmod: flip INT checks to be consistent 2017-09-08 18:26:50 -07:00
test_list_sort.c lib: add module support to linked list sorting tests 2017-05-08 17:15:10 -07:00
test_module.c
test_parman.c
test_printf.c
test_rhashtable.c lib: test_rhashtable: Fix KASAN warning 2017-07-25 12:35:23 -07:00
test_siphash.c
test_sort.c Revert "lib/test_sort.c: make it explicitly non-modular" 2017-05-08 17:15:10 -07:00
test_static_key_base.c
test_static_keys.c
test_sysctl.c test_sysctl: test against int proc_dointvec() array support 2017-07-12 16:26:00 -07:00
test_user_copy.c lib: remove check for AVR32 arch in test_user_copy 2017-05-01 09:36:30 +02:00
test_uuid.c uuid: fix incorrect uuid_equal conversion in test_uuid_test 2017-07-21 09:38:30 +02:00
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c textsearch: fix typos in library helpers 2017-10-22 03:14:07 +01:00
ts_kmp.c textsearch: fix typos in library helpers 2017-10-22 03:14:07 +01:00
ubsan.c
ubsan.h
ucs2_string.c
usercopy.c copy_{from,to}_user(): move kasan checks and might_fault() out-of-line 2017-06-29 22:21:20 -04:00
uuid.c uuid: hoist uuid_is_null() helper from libnvdimm 2017-06-05 16:59:05 +02:00
vsprintf.c DeviceTree for 4.13: 2017-07-07 10:37:54 -07:00
win_minmax.c
xxhash.c lib: Add xxhash module 2017-08-15 09:02:07 -07:00