* [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
@ 2009-09-15 6:44 Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Xiao Guangrong @ 2009-09-15 6:44 UTC (permalink / raw)
To: Ingo Molnar; +Cc: Peter Zijlstra, Paul Mackerras, LKML
If we pass a big size data over perf_counter_open syscall, the kernel
will copy this data to a small buffer, It will cause kernel crash.
This bug make kernel unsafe and no-root user can trigger it.
Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
---
kernel/perf_counter.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index 667ab25..75c46c0 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);
--
1.6.1.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
@ 2009-09-15 6:55 ` Paul Mackerras
2009-09-15 7:40 ` Peter Zijlstra
2009-09-15 9:21 ` [tip:perfcounters/urgent] perf_counter: Fix " tip-bot for Xiao Guangrong
2 siblings, 0 replies; 4+ messages in thread
From: Paul Mackerras @ 2009-09-15 6:55 UTC (permalink / raw)
To: Xiao Guangrong; +Cc: Ingo Molnar, Peter Zijlstra, LKML
Xiao Guangrong writes:
> If we pass a big size data over perf_counter_open syscall, the kernel
> will copy this data to a small buffer, It will cause kernel crash.
>
> This bug make kernel unsafe and no-root user can trigger it.
>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
> ---
> kernel/perf_counter.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
> index 667ab25..75c46c0 100644
> --- a/kernel/perf_counter.c
> +++ b/kernel/perf_counter.c
> @@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
> if (val)
> goto err_size;
> }
> + size = sizeof(*attr);
Looks right to me.
Acked-by: Paul Mackerras <paulus@samba.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
@ 2009-09-15 7:40 ` Peter Zijlstra
2009-09-15 9:21 ` [tip:perfcounters/urgent] perf_counter: Fix " tip-bot for Xiao Guangrong
2 siblings, 0 replies; 4+ messages in thread
From: Peter Zijlstra @ 2009-09-15 7:40 UTC (permalink / raw)
To: Xiao Guangrong; +Cc: Ingo Molnar, Paul Mackerras, LKML
On Tue, 2009-09-15 at 14:44 +0800, Xiao Guangrong wrote:
> If we pass a big size data over perf_counter_open syscall, the kernel
> will copy this data to a small buffer, It will cause kernel crash.
>
> This bug make kernel unsafe and no-root user can trigger it.
Ah, indeed. Thanks!
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
> ---
> kernel/perf_counter.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
> index 667ab25..75c46c0 100644
> --- a/kernel/perf_counter.c
> +++ b/kernel/perf_counter.c
> @@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
> if (val)
> goto err_size;
> }
> + size = sizeof(*attr);
> }
>
> ret = copy_from_user(attr, uattr, size);
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tip:perfcounters/urgent] perf_counter: Fix buffer overflow in perf_copy_attr()
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
2009-09-15 7:40 ` Peter Zijlstra
@ 2009-09-15 9:21 ` tip-bot for Xiao Guangrong
2 siblings, 0 replies; 4+ messages in thread
From: tip-bot for Xiao Guangrong @ 2009-09-15 9:21 UTC (permalink / raw)
To: linux-tip-commits
Cc: linux-kernel, paulus, hpa, mingo, peterz, xiaoguangrong, stable,
tglx, mingo
Commit-ID: b3e62e35058fc744ac794611f4e79bcd1c5a4b83
Gitweb: http://git.kernel.org/tip/b3e62e35058fc744ac794611f4e79bcd1c5a4b83
Author: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
AuthorDate: Tue, 15 Sep 2009 14:44:36 +0800
Committer: Ingo Molnar <mingo@elte.hu>
CommitDate: Tue, 15 Sep 2009 09:53:31 +0200
perf_counter: Fix buffer overflow in perf_copy_attr()
If we pass a big size data over perf_counter_open() syscall,
the kernel will copy this data to a small buffer, it will
cause kernel crash.
This bug makes the kernel unsafe and non-root local user can
trigger it.
Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
kernel/perf_counter.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index d7cbc57..a67a1dc 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-09-15 9:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-15 6:44 [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() Xiao Guangrong
2009-09-15 6:55 ` Paul Mackerras
2009-09-15 7:40 ` Peter Zijlstra
2009-09-15 9:21 ` [tip:perfcounters/urgent] perf_counter: Fix " tip-bot for Xiao Guangrong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox