sparc64: Fix end-of-stack checking in save_stack_trace().

[ Upstream commit 433c5f706856689be25928a99636e724fb3ea7cf ]

Bug reported by Alexander Beregalov.

Before we dereference the stack frame or try to peek at the
pt_regs magic value, make sure the entire object is within
the kernel stack bounds.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/arch/sparc64/kernel/stacktrace.c b/arch/sparc64/kernel/stacktrace.c
index c73ce3f4197e67097da288e381dc134203036ec0..c5576e856b1312558df802fef3f9f5c68e1de80a 100644 (file)
--- a/arch/sparc64/kernel/stacktrace.c
+++ b/arch/sparc64/kernel/stacktrace.c
@@ -25,13 +25,15 @@ void save_stack_trace(struct stack_trace *trace)
 
                /* Bogus frame pointer? */
                if (fp < (thread_base + sizeof(struct thread_info)) ||
-                   fp >= (thread_base + THREAD_SIZE))
+                   fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
                        break;
 
                sf = (struct sparc_stackf *) fp;
                regs = (struct pt_regs *) (sf + 1);
 
-               if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
+               if (((unsigned long)regs <=
+                    (thread_base + THREAD_SIZE - sizeof(*regs))) &&
+                   (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
                        if (!(regs->tstate & TSTATE_PRIV))
                                break;
                        pc = regs->tpc;