commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

next_pidmap: fix overflow condition

next_pidmap() just quietly accepted whatever 'last' pid that was passed
in, which is not all that safe when one of the users is /proc.

Admittedly the proc code should do some sanity checking on the range
(and that will be the next commit), but that doesn't mean that the
helper functions should just do that pidmap pointer arithmetic without
checking the range of its arguments.

So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1"
doesn't really matter, the for-loop does check against the end of the
pidmap array properly (it's only the actual pointer arithmetic overflow
case we need to worry about, and going one bit beyond isn't going to
overflow).

[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]

Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Analyzed-by: Robert Święcki <robert@swiecki.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 14 years ago c78193e9 a1b49cb7

+5 -2

2 changed files

expand all

unified split

include

linux

pid.h

kernel

pid.c

+1 -1

include/linux/pid.h

··· 117 */ 118 extern struct pid *find_get_pid(int nr); 119 extern struct pid *find_ge_pid(int nr, struct pid_namespace *); 120 - int next_pidmap(struct pid_namespace *pid_ns, int last); 121 122 extern struct pid *alloc_pid(struct pid_namespace *ns); 123 extern void free_pid(struct pid *pid);

··· 117 */ 118 extern struct pid *find_get_pid(int nr); 119 extern struct pid *find_ge_pid(int nr, struct pid_namespace *); 120 + int next_pidmap(struct pid_namespace *pid_ns, unsigned int last); 121 122 extern struct pid *alloc_pid(struct pid_namespace *ns); 123 extern void free_pid(struct pid *pid);

+4 -1

kernel/pid.c

··· 217 return -1; 218 } 219 220 - int next_pidmap(struct pid_namespace *pid_ns, int last) 221 { 222 int offset; 223 struct pidmap *map, *end; 224 225 offset = (last + 1) & BITS_PER_PAGE_MASK; 226 map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];

··· 217 return -1; 218 } 219 220 + int next_pidmap(struct pid_namespace *pid_ns, unsigned int last) 221 { 222 int offset; 223 struct pidmap *map, *end; 224 + 225 + if (last >= PID_MAX_LIMIT) 226 + return -1; 227 228 offset = (last + 1) & BITS_PER_PAGE_MASK; 229 map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];