commit 0f22072ab50cac7983f9660d33974b45184da4f9 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

ARM: 6891/1: prevent heap corruption in OABI semtimedop

When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
bound the nsops argument. A sufficiently large value will cause an
integer overflow in allocation size, followed by copying too much data
into the allocated buffer. Fix this by restricting nsops to SEMOPM.
Untested.

Cc: stable@kernel.org
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

authored by Dan Rosenberg and committed by Russell King 15 years ago 0f22072a 408133e9

+1 -1

1 changed file

expand all

unified split

arch

arm

kernel

sys_oabi-compat.c

+1 -1

arch/arm/kernel/sys_oabi-compat.c

··· 311 311 long err; 312 312 int i; 313 313 314 - if (nsops < 1) 314 + if (nsops < 1 || nsops > SEMOPM) 315 315 return -EINVAL; 316 316 sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); 317 317 if (!sops)