From: Ben Hutchings <ben@decadent.org.uk>
To: Dan Rosenberg <drosenberg@vsecurity.com>,
Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Greg KH <gregkh@suse.de>,
linux-kernel@vger.kernel.org, stable@kernel.org,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
stable-review@kernel.org, alan@lxorguk.ukuu.org.uk
Subject: Re: [Stable-review] [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop
Date: Sat, 07 May 2011 02:49:50 +0100 [thread overview]
Message-ID: <1304732990.3203.61.camel@localhost> (raw)
In-Reply-To: <20110506001210.350968533@clark.kroah.org>
[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]
On Thu, 2011-05-05 at 17:11 -0700, Greg KH wrote:
> 2.6.38-stable review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream.
>
> When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
> bound the nsops argument. A sufficiently large value will cause an
> integer overflow in allocation size, followed by copying too much data
> into the allocated buffer. Fix this by restricting nsops to SEMOPM.
> Untested.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> arch/arm/kernel/sys_oabi-compat.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/arch/arm/kernel/sys_oabi-compat.c
> +++ b/arch/arm/kernel/sys_oabi-compat.c
> @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int
> long err;
> int i;
>
> - if (nsops < 1)
> + if (nsops < 1 || nsops > SEMOPM)
> return -EINVAL;
It's not that important, but the manual page says the error code should
E2BIG in the latter case.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-05-07 1:50 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-06 0:12 [patch 00/38] 2.6.38.6-stable review Greg KH
2011-05-06 0:10 ` [patch 01/38] [SCSI] pmcraid: reject negative request size Greg KH
2011-05-06 0:10 ` [patch 02/38] [SCSI] mpt2sas: prevent heap overflows and unchecked reads Greg KH
2011-05-06 0:10 ` [patch 03/38] [SCSI] scsi_dh: fix reference counting in scsi_dh_activate error path Greg KH
2011-05-06 0:10 ` [patch 04/38] [SCSI] put stricter guards on queue dead checks Greg KH
2011-05-06 14:54 ` Jim Schutt
2011-05-06 16:17 ` [stable] " Greg KH
2011-05-06 16:33 ` James Bottomley
2011-05-07 8:46 ` [Stable-review] " Chuck Ebbert
2011-05-09 20:43 ` [stable] [Stable-review] " Greg KH
2011-05-06 0:10 ` [patch 05/38] ALSA: HDA: Fix automute for Gateway NV79 Greg KH
2011-05-06 0:10 ` [patch 06/38] Revert "ALSA: hda - Fix pin-config of Gigabyte mobo" Greg KH
2011-05-06 0:10 ` [patch 07/38] ALSA: hda - Fix Realteks chained fixup checks Greg KH
2011-05-06 0:10 ` [patch 08/38] i2c-parport: Fix adapter list handling Greg KH
2011-05-06 0:10 ` [patch 09/38] workqueue: fix deadlock in worker_maybe_bind_and_lock() Greg KH
2011-05-06 0:10 ` [patch 10/38] iwlwifi: fix skb usage after free Greg KH
2011-05-06 0:10 ` [patch 11/38] iwlagn: fix "Received BA when not expected" Greg KH
2011-05-06 0:10 ` [patch 12/38] atl1c: Fix work event interrupt/task races Greg KH
2011-05-06 0:10 ` [patch 13/38] UBIFS: do not free write-buffers when in R/O mode Greg KH
2011-05-06 0:10 ` [patch 14/38] UBIFS: seek journal heads to the latest bud in replay Greg KH
2011-05-06 0:10 ` [patch 15/38] mmc: fix a race between card-detect rescan and clock-gate work instances Greg KH
2011-05-06 0:10 ` [patch 16/38] mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() Greg KH
2011-05-06 0:10 ` [patch 17/38] mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish Greg KH
2011-05-06 0:10 ` [patch 18/38] mmc: sdhci: Check mrq != NULL " Greg KH
2011-05-06 0:10 ` [patch 19/38] drm/radeon: fix regression on atom cards with hardcoded EDID record Greg KH
2011-05-06 0:10 ` [patch 20/38] USB: fix regression in usbip by setting has_tt flag Greg KH
2011-05-06 0:10 ` [patch 21/38] firewire: Fix for broken configrom updates in quick succession Greg KH
2011-05-06 0:10 ` [patch 22/38] usbnet: add support for some Huawei modems with cdc-ether ports Greg KH
2011-05-06 0:10 ` [patch 23/38] [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev Greg KH
2011-05-06 0:10 ` [patch 24/38] [media] imon: add conditional locking in change_protocol Greg KH
2011-05-06 0:10 ` [patch 25/38] flex_array: flex_array_prealloc takes a number of elements, not an end Greg KH
2011-05-06 0:10 ` [patch 26/38] flex_arrays: allow zero length flex arrays Greg KH
2011-05-06 0:10 ` [patch 27/38] x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors Greg KH
2011-05-06 0:11 ` [patch 28/38] ath9k: fix the return value of ath_stoprecv Greg KH
2011-05-06 0:11 ` [patch 29/38] mac80211: fix SMPS debugfs locking Greg KH
2011-05-06 0:11 ` [patch 30/38] af_unix: Only allow recv on connected seqpacket sockets Greg KH
2011-05-06 0:11 ` [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop Greg KH
2011-05-07 1:49 ` Ben Hutchings [this message]
2011-05-09 20:09 ` [Stable-review] " Jesper Juhl
2011-05-09 21:07 ` Ben Hutchings
2011-05-06 0:11 ` [patch 32/38] XZ decompressor: Fix decoding of empty LZMA2 streams Greg KH
2011-05-06 0:11 ` [patch 33/38] Open with O_CREAT flag set fails to open existing files on non writable directories Greg KH
2011-05-06 0:11 ` [patch 34/38] can: Add missing socket check in can/bcm release Greg KH
2011-05-06 7:16 ` [Stable-review] " Chuck Ebbert
2011-05-06 7:24 ` David Miller
2011-05-09 20:41 ` [stable] " Greg KH
2011-05-06 0:11 ` [patch 35/38] fs/partitions/ldm.c: fix oops caused by corrupted partition table Greg KH
2011-05-07 2:24 ` [Stable-review] " Ben Hutchings
2011-05-09 15:13 ` Timo Warns
2011-05-06 0:11 ` [patch 36/38] [media] cx88: Fix HVR4000 IR keymap Greg KH
2011-05-06 0:11 ` [patch 37/38] KVM: SVM: check for progress after IRET interception Greg KH
2011-05-06 0:11 ` [patch 38/38] drm/radeon/kms: add some new pci ids Greg KH
2011-05-09 16:38 ` [stable] [patch 00/38] 2.6.38.6-stable review Chuck Ebbert
2011-05-09 20:44 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1304732990.3203.61.camel@localhost \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=drosenberg@vsecurity.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).