[maverick/ti-omap4, natty/ti-omap4 CVE 1/1] ARM: 6891/1: prevent heap corruption in OABI semtimedop

[Andy Whitcroft]

From: Dan Rosenberg <drosenberg at vsecurity.com>

When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
bound the nsops argument.  A sufficiently large value will cause an
integer overflow in allocation size, followed by copying too much data
into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
Untested.

Cc: stable at kernel.org
Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>

(cherry picked from commit 0f22072ab50cac7983f9660d33974b45184da4f9)
CVE-2011-1759
BugLink: http://bugs.launchpad.net/bugs/925373
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 arch/arm/kernel/sys_oabi-compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index d59a0cd..897b879 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
 	long err;
 	int i;
 
-	if (nsops < 1)
+	if (nsops < 1 || nsops > SEMOPM)
 		return -EINVAL;
 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
 	if (!sops)
-- 
1.7.8.3