| From 7de249964f5578e67b99699c5f0b405738d820a2 Mon Sep 17 00:00:00 2001 |
| From: Dave Weinstein <olorin@google.com> |
| Date: Thu, 28 Jul 2016 11:55:41 -0700 |
| Subject: arm: oabi compat: add missing access checks |
| |
| From: Dave Weinstein <olorin@google.com> |
| |
| commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream. |
| |
| Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop(). |
| This fixes CVE-2016-3857, a local privilege escalation under |
| CONFIG_OABI_COMPAT. |
| |
| Reported-by: Chiachih Wu <wuchiachih@gmail.com> |
| Reviewed-by: Kees Cook <keescook@chromium.org> |
| Reviewed-by: Nicolas Pitre <nico@linaro.org> |
| Signed-off-by: Dave Weinstein <olorin@google.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/arm/kernel/sys_oabi-compat.c | 8 +++++++- |
| 1 file changed, 7 insertions(+), 1 deletion(-) |
| |
| --- a/arch/arm/kernel/sys_oabi-compat.c |
| +++ b/arch/arm/kernel/sys_oabi-compat.c |
| @@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int |
| mm_segment_t fs; |
| long ret, err, i; |
| |
| - if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) |
| + if (maxevents <= 0 || |
| + maxevents > (INT_MAX/sizeof(*kbuf)) || |
| + maxevents > (INT_MAX/sizeof(*events))) |
| return -EINVAL; |
| + if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) |
| + return -EFAULT; |
| kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); |
| if (!kbuf) |
| return -ENOMEM; |
| @@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int |
| |
| if (nsops < 1 || nsops > SEMOPM) |
| return -EINVAL; |
| + if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) |
| + return -EFAULT; |
| sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); |
| if (!sops) |
| return -ENOMEM; |