* [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
@ 2009-09-15 6:44 Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Xiao Guangrong @ 2009-09-15 6:44 UTC (permalink / raw)
To: Ingo Molnar; +Cc: Peter Zijlstra, Paul Mackerras, LKML
If we pass a big size data over perf_counter_open syscall, the kernel
will copy this data to a small buffer, It will cause kernel crash.
This bug make kernel unsafe and no-root user can trigger it.
Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
---
kernel/perf_counter.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index 667ab25..75c46c0 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);
--
1.6.1.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
@ 2009-09-15 6:55 ` Paul Mackerras
2009-09-15 7:40 ` Peter Zijlstra
2009-09-15 9:21 ` [tip:perfcounters/urgent] perf_counter: Fix " tip-bot for Xiao Guangrong
2 siblings, 0 replies; 4+ messages in thread
From: Paul Mackerras @ 2009-09-15 6:55 UTC (permalink / raw)
To: Xiao Guangrong; +Cc: Ingo Molnar, Peter Zijlstra, LKML
Xiao Guangrong writes:
> If we pass a big size data over perf_counter_open syscall, the kernel
> will copy this data to a small buffer, It will cause kernel crash.
>
> This bug make kernel unsafe and no-root user can trigger it.
>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
> ---
> kernel/perf_counter.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
> index 667ab25..75c46c0 100644
> --- a/kernel/perf_counter.c
> +++ b/kernel/perf_counter.c
> @@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
> if (val)
> goto err_size;
> }
> + size = sizeof(*attr);
Looks right to me.
Acked-by: Paul Mackerras <paulus@samba.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
@ 2009-09-15 7:40 ` Peter Zijlstra
2009-09-15 9:21 ` [tip:perfcounters/urgent] perf_counter: Fix " tip-bot for Xiao Guangrong
2 siblings, 0 replies; 4+ messages in thread
From: Peter Zijlstra @ 2009-09-15 7:40 UTC (permalink / raw)
To: Xiao Guangrong; +Cc: Ingo Molnar, Paul Mackerras, LKML
On Tue, 2009-09-15 at 14:44 +0800, Xiao Guangrong wrote:
> If we pass a big size data over perf_counter_open syscall, the kernel
> will copy this data to a small buffer, It will cause kernel crash.
>
> This bug make kernel unsafe and no-root user can trigger it.
Ah, indeed. Thanks!
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
> ---
> kernel/perf_counter.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
> index 667ab25..75c46c0 100644
> --- a/kernel/perf_counter.c
> +++ b/kernel/perf_counter.c
> @@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
> if (val)
> goto err_size;
> }
> + size = sizeof(*attr);
> }
>
> ret = copy_from_user(attr, uattr, size);
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tip:perfcounters/urgent] perf_counter: Fix buffer overflow in perf_copy_attr()
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
2009-09-15 7:40 ` Peter Zijlstra
@ 2009-09-15 9:21 ` tip-bot for Xiao Guangrong
2 siblings, 0 replies; 4+ messages in thread
From: tip-bot for Xiao Guangrong @ 2009-09-15 9:21 UTC (permalink / raw)
To: linux-tip-commits
Cc: linux-kernel, paulus, hpa, mingo, peterz, xiaoguangrong, stable,
tglx, mingo
Commit-ID: b3e62e35058fc744ac794611f4e79bcd1c5a4b83
Gitweb: http://git.kernel.org/tip/b3e62e35058fc744ac794611f4e79bcd1c5a4b83
Author: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
AuthorDate: Tue, 15 Sep 2009 14:44:36 +0800
Committer: Ingo Molnar <mingo@elte.hu>
CommitDate: Tue, 15 Sep 2009 09:53:31 +0200
perf_counter: Fix buffer overflow in perf_copy_attr()
If we pass a big size data over perf_counter_open() syscall,
the kernel will copy this data to a small buffer, it will
cause kernel crash.
This bug makes the kernel unsafe and non-root local user can
trigger it.
Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
kernel/perf_counter.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index d7cbc57..a67a1dc 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-09-15 9:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
2009-09-15 7:40 ` Peter Zijlstra
2009-09-15 9:21 ` [tip:perfcounters/urgent] perf_counter: Fix " tip-bot for Xiao Guangrong
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.