[BUG 6.4] sched/core: Possible buffer overflow in do_set_cpu_allowed

From: Joe Korty
Date: Fri Jul 07 2023 - 16:29:07 EST

Next message: Matthew Wilcox: "Re: [PATCH v3 2/4] mm/hwpoison: check if a subpage of a hugetlb folio is raw HWPOISON"
Previous message: John Stultz: "Re: ww_mutex.sh hangs since v5.16-rc1"
Next in thread: Waiman Long: "Re: [BUG 6.4] sched/core: Possible buffer overflow in do_set_cpu_allowed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In commit 9a5418bc48bab ("sched/core: Use kfree_rcu() in
do_set_cpus_allowed()"), a kfree_rcu() is used to free a cpu mask.
However, cpu masks can be as short as 8 bytes and this is a problem,
as kfree_rcu requires the to-be freed buffer to be at least 16 bytes.
Thus there is a chance of buffer overflow corruption when the number of
possible cpus in the system is 64 or less.

I have not seen this corruption in the wild. I only noticed this possibility
when reviewing the scheduler differences between 6.1 and 6.4.

Regards,
Joe Korty

Next message: Matthew Wilcox: "Re: [PATCH v3 2/4] mm/hwpoison: check if a subpage of a hugetlb folio is raw HWPOISON"
Previous message: John Stultz: "Re: ww_mutex.sh hangs since v5.16-rc1"
Next in thread: Waiman Long: "Re: [BUG 6.4] sched/core: Possible buffer overflow in do_set_cpu_allowed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]