From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Dan Carpenter <dan.carpenter@oracle.com>,
Jens Axboe <axboe@kernel.dk>
Subject: [06/15] relay: prevent integer overflow in relay_open()
Date: Thu, 16 Feb 2012 16:55:15 -0800 [thread overview]
Message-ID: <20120217005510.716165646@linuxfoundation.org> (raw)
In-Reply-To: <20120217005650.GA17119@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream.
"subbuf_size" and "n_subbufs" come from the user and they need to be
capped to prevent an integer overflow.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/relay.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -164,10 +164,14 @@ depopulate:
*/
static struct rchan_buf *relay_create_buf(struct rchan *chan)
{
- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
- if (!buf)
+ struct rchan_buf *buf;
+
+ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
return NULL;
+ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+ if (!buf)
+ return NULL;
buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
if (!buf->padding)
goto free_buf;
@@ -574,6 +578,8 @@ struct rchan *relay_open(const char *bas
if (!(subbuf_size && n_subbufs))
return NULL;
+ if (subbuf_size > UINT_MAX / n_subbufs)
+ return NULL;
chan = kzalloc(sizeof(struct rchan), GFP_KERNEL);
if (!chan)
next prev parent reply other threads:[~2012-02-17 0:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-17 0:56 [00/15] 3.0.22-stable review Greg KH
2012-02-17 0:55 ` [01/15] perf evsel: Fix an issue where perf report fails to show the proper percentage Greg KH
2012-02-17 0:55 ` [02/15] perf tools: Fix perf stack to non executable on x86_64 Greg KH
2012-02-17 0:55 ` [03/15] drm/i915: no lvds quirk for AOpen MP45 Greg KH
2012-02-17 0:55 ` [04/15] hwmon: (f75375s) Fix bit shifting in f75375_write16 Greg KH
2012-02-17 0:55 ` [05/15] lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel Greg KH
2012-02-17 0:55 ` Greg KH [this message]
2012-02-17 0:55 ` [07/15] mac80211: timeout a single frame in the rx reorder buffer Greg KH
2012-02-17 0:55 ` [08/15] writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue Greg KH
2012-02-17 0:55 ` [09/15] gpio/pca953x: Fix warning of enabled interrupts in handler Greg KH
2012-02-17 0:55 ` [10/15] hwmon: (f75375s) Fix automatic pwm mode setting for F75373 & F75375 Greg KH
2012-02-17 0:55 ` [11/15] crypto: sha512 - Use binary and instead of modulus Greg KH
2012-02-17 0:55 ` Greg KH
2012-02-17 0:55 ` [12/15] crypto: sha512 - Avoid stack bloat on i386 Greg KH
2012-02-17 0:55 ` Greg KH
2012-02-17 0:55 ` [13/15] ALSA: intel8x0: Fix default inaudible sound on Gateway M520 Greg KH
2012-02-17 0:55 ` [14/15] xen pvhvm: do not remap pirqs onto evtchns if !xen_have_vector_callback Greg KH
2012-02-17 0:55 ` [15/15] slub: fix a possible memleak in __slab_alloc() Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120217005510.716165646@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=axboe@kernel.dk \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.