Ack: Re: [maverick/ti-omap4, natty/ti-omap4 CVE 1/1] ARM: 6891/1: prevent heap corruption in OABI semtimedop
Herton Ronaldo Krzesinski
herton.krzesinski at canonical.com
Thu Feb 2 11:55:25 UTC 2012
On Thu, Feb 02, 2012 at 10:59:59AM +0000, Andy Whitcroft wrote:
> From: Dan Rosenberg <drosenberg at vsecurity.com>
>
> When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
> bound the nsops argument. A sufficiently large value will cause an
> integer overflow in allocation size, followed by copying too much data
> into the allocated buffer. Fix this by restricting nsops to SEMOPM.
> Untested.
>
> Cc: stable at kernel.org
> Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
>
> (cherry picked from commit 0f22072ab50cac7983f9660d33974b45184da4f9)
> CVE-2011-1759
> BugLink: http://bugs.launchpad.net/bugs/925373
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> arch/arm/kernel/sys_oabi-compat.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
> index d59a0cd..897b879 100644
> --- a/arch/arm/kernel/sys_oabi-compat.c
> +++ b/arch/arm/kernel/sys_oabi-compat.c
> @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
> long err;
> int i;
>
> - if (nsops < 1)
> + if (nsops < 1 || nsops > SEMOPM)
> return -EINVAL;
> sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
> if (!sops)
> --
> 1.7.8.3
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
More information about the kernel-team
mailing list