Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem()

From: Borislav Petkov
Date: Tue Apr 16 2019 - 05:07:34 EST

Next message: Chanwoo Choi: "Re: [PATCH v2 3/4] dt-bindings: devfreq: add compatible for mt8183 cci devfreq"
Previous message: Alban Crequy: "Re: [PATCH bpf-next v1 2/2] selftests: bpf: read netns from struct bpf_sock_ops"
Next in thread: Cong Wang: "Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 15, 2019 at 06:20:00PM -0700, Cong Wang wrote:
> ce_arr.array[] is always within the range [0, ce_arr.n-1].
> However, the binary search code in __find_elem() uses ce_arr.n
> as the maximum index, which could lead to an off-by-one
> out-of-bound access when the element after the last is exactly
> the one just got deleted, that is, 'min' returned to caller as
> 'ce_arr.n'.

Sorry, I don't follow.

There's a debugfs interface in /sys/kernel/debug/ras/cec/ with which you
can input random PFNs and test the thing.

Show me pls how this can happen with an example.

Thx.

--
Regards/Gruss,
Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Next message: Chanwoo Choi: "Re: [PATCH v2 3/4] dt-bindings: devfreq: add compatible for mt8183 cci devfreq"
Previous message: Alban Crequy: "Re: [PATCH bpf-next v1 2/2] selftests: bpf: read netns from struct bpf_sock_ops"
Next in thread: Cong Wang: "Re: [PATCH 1/2] ras: fix an off-by-one error in __find_elem()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]