From patchwork Thu May  4 03:14:22 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <zhangpeng.00@bytedance.com>
X-Patchwork-Id: 13230712
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7E384C77B78
	for <linux-mm@archiver.kernel.org>; Thu,  4 May 2023 03:14:35 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DF11C6B007B; Wed,  3 May 2023 23:14:34 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DA1296B007D; Wed,  3 May 2023 23:14:34 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C8FAD6B007E; Wed,  3 May 2023 23:14:34 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com
 [209.85.215.171])
	by kanga.kvack.org (Postfix) with ESMTP id 9AD8B6B007B
	for <linux-mm@kvack.org>; Wed,  3 May 2023 23:14:34 -0400 (EDT)
Received: by mail-pg1-f171.google.com with SMTP id
 41be03b00d2f7-528dd896165so3576548a12.2
        for <linux-mm@kvack.org>; Wed, 03 May 2023 20:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance.com; s=google; t=1683170074; x=1685762074;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=IbPYIto4VB8PDltW6IF9xK2OGAqqGXQQrWkkItyQ7bQ=;
        b=jAriokYZi5Z7BExhmGU/HVnBTY/QZkyPLl/xu3NBLVCCyKB7e1mTttjDqgtmTMubuF
         E/1cwMS+TZ6Ny7VLFC1Ft7NSrpmy16F/ZpEfiLhAWBTku6jfFpCLnXiBZbXUJAwW17HW
         5k8Z07uMYaksRmxDRBAlpSHvhKeUHZii8et2CC1KEMYxmLSZfs/ApniiKpb3sdVeAvk/
         qfYgQzLiVEjzntB4AwcJxpX/nbX3qC2mnb4UfbJIjADYjzyEJcTi/ZtGlvW6BHY0ODPu
         ZDmlaoTeyUPKBysuz7heK1A3v5QfP8W6mesTLdtOyG5Yx3unnIoJc4kAQue75nRX731q
         FicQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683170074; x=1685762074;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=IbPYIto4VB8PDltW6IF9xK2OGAqqGXQQrWkkItyQ7bQ=;
        b=OcauVWemBroAgS7BWJ7Zbu2DX+MUS8+9CQwoc0YPArbowMftg2bCdxrl40lxwtPyz/
         R25bXMs5BtYffpXbbRbBHW+rJ8aYZd3QcfVOUBHfAX6N/DQZSa37rGzX9sLK5PHUdeH4
         rq170Rp68LybmXn5VCNhyMpyG3Rtp89qiS6soTZj7x/8jwbgtzSDDBtnCSC4aBWreZaP
         es2MwjQ3lXLJfUi8cNidCEGeeTEDTuzXoE6lu6CirjXUxgKtknSMCNG9WA33mrphL1gv
         2JohDa1AtGhBXIVA1ZxVVZpgBkAp00sGLgFRQ3JkUimKtSwYP8vWBUwV7cxpanenVbac
         F3eg==
X-Gm-Message-State: AC+VfDwvIhK3mf0GCrxgvM0Y6a68WBHNIFGFrDnfHW44uqfzVy1gDFRG
	NAp0Ke2n81aKLQVo4NJXvdzUwMud/9IQT8BGoGs=
X-Google-Smtp-Source: 
 ACHHUZ6r8kN3MgA8b2V+WIU5T8RQV5qChxp0w8/DRs6oq/rJE4yt3Jai4GFOqdSMEHo8pxqoP7Vc5w==
X-Received: by 2002:a17:90a:7565:b0:247:42bf:380e with SMTP id
 q92-20020a17090a756500b0024742bf380emr837685pjk.4.1683170074005;
        Wed, 03 May 2023 20:14:34 -0700 (PDT)
Received: from GL4FX4PXWL.bytedance.net ([139.177.225.232])
        by smtp.gmail.com with ESMTPSA id
 t20-20020a17090aba9400b0023b4d4ca3a9sm10160834pjr.50.2023.05.03.20.14.30
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Wed, 03 May 2023 20:14:33 -0700 (PDT)
From: Peng Zhang <zhangpeng.00@bytedance.com>
To: Liam.Howlett@oracle.com
Cc: akpm@linux-foundation.org,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	maple-tree@lists.infradead.org,
	Peng Zhang <zhangpeng.00@bytedance.com>
Subject: [PATCH] maple_tree: Fix potential out-of-bounds access in
 mas_wr_end_piv()
Date: Thu,  4 May 2023 11:14:22 +0800
Message-Id: <20230504031422.47506-1-zhangpeng.00@bytedance.com>
X-Mailer: git-send-email 2.37.0 (Apple Git-136)
MIME-Version: 1.0
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Access to the pivots array may be out of bounds. Fix it by changing the
code to ensure that the index of the pivots does not go out of bounds.
It is difficult to assess user-visible impact.

Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Signed-off-by: Peng Zhang <zhangpeng.00@bytedance.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 lib/maple_tree.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 110a36479dced..5a49327444d76 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -4263,11 +4263,13 @@ static inline bool mas_wr_slot_store(struct ma_wr_state *wr_mas)
 
 static inline void mas_wr_end_piv(struct ma_wr_state *wr_mas)
 {
-	while ((wr_mas->mas->last > wr_mas->end_piv) &&
-	       (wr_mas->offset_end < wr_mas->node_end))
-		wr_mas->end_piv = wr_mas->pivots[++wr_mas->offset_end];
+	while ((wr_mas->offset_end < wr_mas->node_end) &&
+	       (wr_mas->mas->last > wr_mas->pivots[wr_mas->offset_end]))
+		wr_mas->offset_end++;
 
-	if (wr_mas->mas->last > wr_mas->end_piv)
+	if (wr_mas->offset_end < wr_mas->node_end)
+		wr_mas->end_piv = wr_mas->pivots[wr_mas->offset_end];
+	else
 		wr_mas->end_piv = wr_mas->mas->max;
 }
 
@@ -4424,7 +4426,6 @@ static inline void *mas_wr_store_entry(struct ma_wr_state *wr_mas)
 	}
 
 	/* At this point, we are at the leaf node that needs to be altered. */
-	wr_mas->end_piv = wr_mas->r_max;
 	mas_wr_end_piv(wr_mas);
 
 	if (!wr_mas->entry)