Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / 17d726468c7082caab1b07ef78a67548c18705c5 / . / releases / 3.4.21 / parisc-fix-user-triggerable-panic-on-parisc.patch
blob: cb63c921557116c4ee026b748572c801f0dfc2f0 [file] [log] [blame]
From 441a179dafc0f99fc8b3a8268eef66958621082e Mon Sep 17 00:00:00 2001
From: Al Viro <viro@ZenIV.linux.org.uk>
Date: Wed, 21 Nov 2012 19:27:23 +0000
Subject: PARISC: fix user-triggerable panic on parisc
From: Al Viro <viro@ZenIV.linux.org.uk>
commit 441a179dafc0f99fc8b3a8268eef66958621082e upstream.
int sys32_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset,
unsigned int sigsetsize)
{
sigset_t old_set, new_set;
int ret;
if (set && get_sigset32(set, &new_set, sigsetsize))
...
static int
get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
{
compat_sigset_t s;
int r;
if (sz != sizeof *set) panic("put_sigset32()");
In other words, rt_sigprocmask(69, (void *)69, 69) done by 32bit process
will promptly panic the box.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/signal32.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/parisc/kernel/signal32.c
+++ b/arch/parisc/kernel/signal32.c
@@ -67,7 +67,8 @@ put_sigset32(compat_sigset_t __user *up,
{
compat_sigset_t s;
- if (sz != sizeof *set) panic("put_sigset32()");
+ if (sz != sizeof *set)
+ return -EINVAL;
sigset_64to32(&s, set);
return copy_to_user(up, &s, sizeof s);
@@ -79,7 +80,8 @@ get_sigset32(compat_sigset_t __user *up,
compat_sigset_t s;
int r;
- if (sz != sizeof *set) panic("put_sigset32()");
+ if (sz != sizeof *set)
+ return -EINVAL;
if ((r = copy_from_user(&s, up, sz)) == 0) {
sigset_32to64(set, &s);