[maverick/ti-omap4, natty/ti-omap4 CVE 1/1] ARM: 6891/1: prevent heap corruption in OABI semtimedop
Andy Whitcroft
apw at canonical.com
Thu Feb 2 10:59:59 UTC 2012
From: Dan Rosenberg <drosenberg at vsecurity.com>
When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
bound the nsops argument. A sufficiently large value will cause an
integer overflow in allocation size, followed by copying too much data
into the allocated buffer. Fix this by restricting nsops to SEMOPM.
Untested.
Cc: stable at kernel.org
Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
(cherry picked from commit 0f22072ab50cac7983f9660d33974b45184da4f9)
CVE-2011-1759
BugLink: http://bugs.launchpad.net/bugs/925373
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
arch/arm/kernel/sys_oabi-compat.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index d59a0cd..897b879 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
long err;
int i;
- if (nsops < 1)
+ if (nsops < 1 || nsops > SEMOPM)
return -EINVAL;
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
if (!sops)
--
1.7.8.3
More information about the kernel-team
mailing list