commit cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

mm/mempolicy.c: fix error handling in set_mempolicy and mbind.

In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.

Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Chris Salls and committed by Linus Torvalds 8 years ago cf01fb99 425fffd8

+8 -12

1 changed file

expand all

unified split

mempolicy.c

+8 -12

mm/mempolicy.c

··· 1529 1529 COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask, 1530 1530 compat_ulong_t, maxnode) 1531 1531 { 1532 - long err = 0; 1533 1532 unsigned long __user *nm = NULL; 1534 1533 unsigned long nr_bits, alloc_size; 1535 1534 DECLARE_BITMAP(bm, MAX_NUMNODES); ··· 1537 1538 alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8; 1538 1539 1539 1540 if (nmask) { 1540 - err = compat_get_bitmap(bm, nmask, nr_bits); 1541 + if (compat_get_bitmap(bm, nmask, nr_bits)) 1542 + return -EFAULT; 1541 1543 nm = compat_alloc_user_space(alloc_size); 1542 - err |= copy_to_user(nm, bm, alloc_size); 1544 + if (copy_to_user(nm, bm, alloc_size)) 1545 + return -EFAULT; 1543 1546 } 1544 - 1545 - if (err) 1546 - return -EFAULT; 1547 1547 1548 1548 return sys_set_mempolicy(mode, nm, nr_bits+1); 1549 1549 } ··· 1551 1553 compat_ulong_t, mode, compat_ulong_t __user *, nmask, 1552 1554 compat_ulong_t, maxnode, compat_ulong_t, flags) 1553 1555 { 1554 - long err = 0; 1555 1556 unsigned long __user *nm = NULL; 1556 1557 unsigned long nr_bits, alloc_size; 1557 1558 nodemask_t bm; ··· 1559 1562 alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8; 1560 1563 1561 1564 if (nmask) { 1562 - err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits); 1565 + if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits)) 1566 + return -EFAULT; 1563 1567 nm = compat_alloc_user_space(alloc_size); 1564 - err |= copy_to_user(nm, nodes_addr(bm), alloc_size); 1568 + if (copy_to_user(nm, nodes_addr(bm), alloc_size)) 1569 + return -EFAULT; 1565 1570 } 1566 - 1567 - if (err) 1568 - return -EFAULT; 1569 1571 1570 1572 return sys_mbind(start, len, mode, nm, nr_bits+1, flags); 1571 1573 }