From: Ben Hutchings <ben@decadent.org.uk>
To: Dan Rosenberg <drosenberg@vsecurity.com>,
Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Greg KH <gregkh@suse.de>,
linux-kernel@vger.kernel.org, stable@kernel.org,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
stable-review@kernel.org, alan@lxorguk.ukuu.org.uk
Subject: Re: [Stable-review] [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop
Date: Sat, 07 May 2011 02:49:50 +0100 [thread overview]
Message-ID: <1304732990.3203.61.camel@localhost> (raw)
In-Reply-To: <20110506001210.350968533@clark.kroah.org>
[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]
On Thu, 2011-05-05 at 17:11 -0700, Greg KH wrote:
> 2.6.38-stable review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream.
>
> When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
> bound the nsops argument. A sufficiently large value will cause an
> integer overflow in allocation size, followed by copying too much data
> into the allocated buffer. Fix this by restricting nsops to SEMOPM.
> Untested.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> arch/arm/kernel/sys_oabi-compat.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/arch/arm/kernel/sys_oabi-compat.c
> +++ b/arch/arm/kernel/sys_oabi-compat.c
> @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int
> long err;
> int i;
>
> - if (nsops < 1)
> + if (nsops < 1 || nsops > SEMOPM)
> return -EINVAL;
It's not that important, but the manual page says the error code should
E2BIG in the latter case.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-05-07 1:50 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-06 0:12 [patch 00/38] 2.6.38.6-stable review Greg KH
2011-05-06 0:10 ` [patch 01/38] [SCSI] pmcraid: reject negative request size Greg KH
2011-05-06 0:10 ` [patch 02/38] [SCSI] mpt2sas: prevent heap overflows and unchecked reads Greg KH
2011-05-06 0:10 ` [patch 03/38] [SCSI] scsi_dh: fix reference counting in scsi_dh_activate error path Greg KH
2011-05-06 0:10 ` [patch 04/38] [SCSI] put stricter guards on queue dead checks Greg KH
2011-05-06 14:54 ` Jim Schutt
2011-05-06 16:17 ` [stable] " Greg KH
2011-05-06 16:33 ` James Bottomley
2011-05-07 8:46 ` [Stable-review] " Chuck Ebbert
2011-05-09 20:43 ` [stable] [Stable-review] " Greg KH
2011-05-06 0:10 ` [patch 05/38] ALSA: HDA: Fix automute for Gateway NV79 Greg KH
2011-05-06 0:10 ` [patch 06/38] Revert "ALSA: hda - Fix pin-config of Gigabyte mobo" Greg KH
2011-05-06 0:10 ` [patch 07/38] ALSA: hda - Fix Realteks chained fixup checks Greg KH
2011-05-06 0:10 ` [patch 08/38] i2c-parport: Fix adapter list handling Greg KH
2011-05-06 0:10 ` [patch 09/38] workqueue: fix deadlock in worker_maybe_bind_and_lock() Greg KH
2011-05-06 0:10 ` [patch 10/38] iwlwifi: fix skb usage after free Greg KH
2011-05-06 0:10 ` [patch 11/38] iwlagn: fix "Received BA when not expected" Greg KH
2011-05-06 0:10 ` [patch 12/38] atl1c: Fix work event interrupt/task races Greg KH
2011-05-06 0:10 ` [patch 13/38] UBIFS: do not free write-buffers when in R/O mode Greg KH
2011-05-06 0:10 ` [patch 14/38] UBIFS: seek journal heads to the latest bud in replay Greg KH
2011-05-06 0:10 ` [patch 15/38] mmc: fix a race between card-detect rescan and clock-gate work instances Greg KH
2011-05-06 0:10 ` [patch 16/38] mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() Greg KH
2011-05-06 0:10 ` [patch 17/38] mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish Greg KH
2011-05-06 0:10 ` [patch 18/38] mmc: sdhci: Check mrq != NULL " Greg KH
2011-05-06 0:10 ` [patch 19/38] drm/radeon: fix regression on atom cards with hardcoded EDID record Greg KH
2011-05-06 0:10 ` [patch 20/38] USB: fix regression in usbip by setting has_tt flag Greg KH
2011-05-06 0:10 ` [patch 21/38] firewire: Fix for broken configrom updates in quick succession Greg KH
2011-05-06 0:10 ` [patch 22/38] usbnet: add support for some Huawei modems with cdc-ether ports Greg KH
2011-05-06 0:10 ` [patch 23/38] [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev Greg KH
2011-05-06 0:10 ` [patch 24/38] [media] imon: add conditional locking in change_protocol Greg KH
2011-05-06 0:10 ` [patch 25/38] flex_array: flex_array_prealloc takes a number of elements, not an end Greg KH
2011-05-06 0:10 ` [patch 26/38] flex_arrays: allow zero length flex arrays Greg KH
2011-05-06 0:10 ` [patch 27/38] x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors Greg KH
2011-05-06 0:11 ` [patch 28/38] ath9k: fix the return value of ath_stoprecv Greg KH
2011-05-06 0:11 ` [patch 29/38] mac80211: fix SMPS debugfs locking Greg KH
2011-05-06 0:11 ` [patch 30/38] af_unix: Only allow recv on connected seqpacket sockets Greg KH
2011-05-06 0:11 ` [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop Greg KH
2011-05-07 1:49 ` Ben Hutchings [this message]
2011-05-09 20:09 ` [Stable-review] " Jesper Juhl
2011-05-09 21:07 ` Ben Hutchings
2011-05-06 0:11 ` [patch 32/38] XZ decompressor: Fix decoding of empty LZMA2 streams Greg KH
2011-05-06 0:11 ` [patch 33/38] Open with O_CREAT flag set fails to open existing files on non writable directories Greg KH
2011-05-06 0:11 ` [patch 34/38] can: Add missing socket check in can/bcm release Greg KH
2011-05-06 7:16 ` [Stable-review] " Chuck Ebbert
2011-05-06 7:24 ` David Miller
2011-05-09 20:41 ` [stable] " Greg KH
2011-05-06 0:11 ` [patch 35/38] fs/partitions/ldm.c: fix oops caused by corrupted partition table Greg KH
2011-05-07 2:24 ` [Stable-review] " Ben Hutchings
2011-05-09 15:13 ` Timo Warns
2011-05-06 0:11 ` [patch 36/38] [media] cx88: Fix HVR4000 IR keymap Greg KH
2011-05-06 0:11 ` [patch 37/38] KVM: SVM: check for progress after IRET interception Greg KH
2011-05-06 0:11 ` [patch 38/38] drm/radeon/kms: add some new pci ids Greg KH
2011-05-09 16:38 ` [stable] [patch 00/38] 2.6.38.6-stable review Chuck Ebbert
2011-05-09 20:44 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1304732990.3203.61.camel@localhost \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=drosenberg@vsecurity.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.