From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out2-smtp.messagingengine.com ([66.111.4.26]:49085 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030433AbbEEFij (ORCPT ); Tue, 5 May 2015 01:38:39 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 47C97204BE for ; Tue, 5 May 2015 01:38:36 -0400 (EDT) Message-ID: <1430804310.2936.1.camel@pluto.fritz.box> Subject: Re: [PATCH 3.2 059/221] autofs4: check dev ioctl size before allocating From: Ian Kent To: Ben Hutchings Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, akpm@linux-foundation.org, Sasha Levin , Linus Torvalds Date: Tue, 05 May 2015 13:38:30 +0800 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: On Tue, 2015-05-05 at 02:16 +0100, Ben Hutchings wrote: > 3.2.69-rc1 review patch. If anyone has any objections, please let me know. Perhaps you should also consider including commit 0a280962 along with this one. > > ------------------ > > From: Sasha Levin > > commit e53d77eb8bb616e903e34cc7a918401bee3b5149 upstream. > > There wasn't any check of the size passed from userspace before trying > to allocate the memory required. > > This meant that userspace might request more space than allowed, > triggering an OOM. > > Signed-off-by: Sasha Levin > Signed-off-by: Ian Kent > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > Signed-off-by: Ben Hutchings > --- > fs/autofs4/dev-ioctl.c | 3 +++ > 1 file changed, 3 insertions(+) > > --- a/fs/autofs4/dev-ioctl.c > +++ b/fs/autofs4/dev-ioctl.c > @@ -103,6 +103,9 @@ static struct autofs_dev_ioctl *copy_dev > if (tmp.size < sizeof(tmp)) > return ERR_PTR(-EINVAL); > > + if (tmp.size > (PATH_MAX + sizeof(tmp))) > + return ERR_PTR(-ENAMETOOLONG); > + > return memdup_user(in, tmp.size); > } > >