| Message ID | 20240602221525.4257-1-cel@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | SUNRPC: Fix loop termination condition in gss_free_in_token_pages() | expand |
On 2 Jun 2024, at 18:15, cel@kernel.org wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > The in_token->pages[] array is not NULL terminated. This results in > the following KASAN splat: > > KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f] > > Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()") > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Nice. Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Ben
On Mon, Jun 03, 2024 at 08:33:51AM -0400, Benjamin Coddington wrote: > On 2 Jun 2024, at 18:15, cel@kernel.org wrote: > > > From: Chuck Lever <chuck.lever@oracle.com> > > > > The in_token->pages[] array is not NULL terminated. This results in > > the following KASAN splat: > > > > KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f] > > > > Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()") > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > > Nice. > > Reviewed-by: Benjamin Coddington <bcodding@redhat.com> > > Ben > Thank you, Ben. Applied to nfsd-fixes (for 6.10-rc).
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 96ab50eda9c2..73a90ad873fb 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1069,7 +1069,7 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, goto out_denied_free; pages = DIV_ROUND_UP(inlen, PAGE_SIZE); - in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL); + in_token->pages = kcalloc(pages + 1, sizeof(struct page *), GFP_KERNEL); if (!in_token->pages) goto out_denied_free; in_token->page_base = 0;