| From f9a600423a922237ac48be4f6774e21ccc0b923a Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Fri, 29 Apr 2011 15:48:07 +0100 |
| Subject: [PATCH] ARM: 6891/1: prevent heap corruption in OABI semtimedop |
| |
| commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream. |
| |
| When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not |
| bound the nsops argument. A sufficiently large value will cause an |
| integer overflow in allocation size, followed by copying too much data |
| into the allocated buffer. Fix this by restricting nsops to SEMOPM. |
| Untested. |
| |
| Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> |
| Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c |
| index 33ff678..73bb15c 100644 |
| --- a/arch/arm/kernel/sys_oabi-compat.c |
| +++ b/arch/arm/kernel/sys_oabi-compat.c |
| @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid, |
| long err; |
| int i; |
| |
| - if (nsops < 1) |
| + if (nsops < 1 || nsops > SEMOPM) |
| return -EINVAL; |
| sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); |
| if (!sops) |
| -- |
| 1.7.7 |
| |
