releases/2.6.32.58/relay-prevent-integer-overflow-in-relay_open.patch - pub/scm/linux/kernel/git/longterm/longterm-queue-2.6.32 - Git at Google

 From f6302f1bcd75a042df69866d98b8d775a668f8f1 Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Fri, 10 Feb 2012 09:03:58 +0100
 Subject: relay: prevent integer overflow in relay_open()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.

 "subbuf_size" and "n_subbufs" come from the user and they need to be
 capped to prevent an integer overflow.

 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Jens Axboe <axboe@kernel.dk>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  kernel/relay.c |   10 ++++++++--
  1 file changed, 8 insertions(+), 2 deletions(-)

 --- a/kernel/relay.c
 +++ b/kernel/relay.c
 @@ -171,10 +171,14 @@ depopulate:
   */
  static struct rchan_buf *relay_create_buf(struct rchan *chan)
  {
 -	struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
 -	if (!buf)
 +	struct rchan_buf *buf;
 +
 +	if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
  		return NULL;

 +	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
 +	if (!buf)
 +		return NULL;
  	buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
  	if (!buf->padding)
  		goto free_buf;
 @@ -581,6 +585,8 @@ struct rchan *relay_open(const char *bas

  	if (!(subbuf_size && n_subbufs))
  		return NULL;
 +	if (subbuf_size > UINT_MAX / n_subbufs)
 +		return NULL;

  	chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
  	if (!chan)
	From f6302f1bcd75a042df69866d98b8d775a668f8f1 Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Fri, 10 Feb 2012 09:03:58 +0100
	Subject: relay: prevent integer overflow in relay_open()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.

	"subbuf_size" and "n_subbufs" come from the user and they need to be
	capped to prevent an integer overflow.

	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	kernel/relay.c \| 10 ++++++++--
	1 file changed, 8 insertions(+), 2 deletions(-)

	--- a/kernel/relay.c
	+++ b/kernel/relay.c
	@@ -171,10 +171,14 @@ depopulate:
	*/
	static struct rchan_buf relay_create_buf(struct rchan chan)
	{
	- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
	- if (!buf)
	+ struct rchan_buf *buf;
	+
	+ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
	return NULL;

	+ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
	+ if (!buf)
	+ return NULL;
	buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
	if (!buf->padding)
	goto free_buf;
	@@ -581,6 +585,8 @@ struct rchan relay_open(const char bas

	if (!(subbuf_size && n_subbufs))
	return NULL;
	+ if (subbuf_size > UINT_MAX / n_subbufs)
	+ return NULL;

	chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
	if (!chan)