commit | a64a21f6de4faf41b74800275be0552f55e83699 | [log] [tgz] |
---|---|---|
author | Mohamed Ghannam <simo.ghannam@gmail.com> | Tue Jan 02 19:44:34 2018 +0000 |
committer | Ben Hutchings <ben@decadent.org.uk> | Tue Feb 13 18:42:31 2018 +0000 |
tree | 85d82a723d343fc5f6adf46f95827dd6b1c3a59c | |
parent | bf101edbb0ad37a6cd970cb98a9f1ae950b719f1 [diff] |
RDS: Heap OOB write in rds_message_alloc_sgs() commit c095508770aebf1b9218e77026e48345d719b17c upstream. When args->nr_local is 0, nr_pages gets also 0 due some size calculation via rds_rm_size(), which is later used to allocate pages for DMA, this bug produces a heap Out-Of-Bound write access to a specific memory region. Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>