• Lin Feng's avatar
    mm: memblock: fix wrong memmove size in memblock_merge_regions() · c0232ae8
    Lin Feng authored
    The memmove span covers from (next+1) to the end of the array, and the
    index of next is (i+1), so the index of (next+1) is (i+2).  So the size
    of remaining array elements is (type->cnt - (i + 2)).
    
    Since the remaining elements of the memblock array are move forward by
    one element and there is only one additional element caused by this bug.
    So there won't be any write overflow here but read overflow.  It may
    read one more element out of the array address if the array happens to
    be full.  Commonly it doesn't matter at all but if the array happens to
    be located at the end a memblock, it may cause a invalid read operation
    for the physical address doesn't exist.
    
    There are 2 *happens to be* here, so I think the probability is quite
    low, I don't know if any guy is haunted by this bug before.
    
    Mostly I think it's user-invisible.
    Signed-off-by: default avatarLin Feng <linfeng@cn.fujitsu.com>
    Acked-by: default avatarTejun Heo <tj@kernel.org>
    Reviewed-by: default avatarWanpeng Li <liwanp@linux.vnet.ibm.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    c0232ae8
memblock.c 29.1 KB