Patchwork [maverick/ti-omap4,natty/ti-omap4,CVE,1/1] ARM: 6891/1: prevent heap corruption in OABI semtimedop

login
register
mail settings
Submitter Andy Whitcroft
Date Feb. 2, 2012, 10:59 a.m.
Message ID <1328180399-20007-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/139116/
State New
Headers show

Comments

Andy Whitcroft - Feb. 2, 2012, 10:59 a.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
bound the nsops argument.  A sufficiently large value will cause an
integer overflow in allocation size, followed by copying too much data
into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
Untested.

Cc: stable@kernel.org
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

(cherry picked from commit 0f22072ab50cac7983f9660d33974b45184da4f9)
CVE-2011-1759
BugLink: http://bugs.launchpad.net/bugs/925373
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 arch/arm/kernel/sys_oabi-compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Herton Ronaldo Krzesinski - Feb. 2, 2012, 11:55 a.m.
On Thu, Feb 02, 2012 at 10:59:59AM +0000, Andy Whitcroft wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
> bound the nsops argument.  A sufficiently large value will cause an
> integer overflow in allocation size, followed by copying too much data
> into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
> Untested.
> 
> Cc: stable@kernel.org
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> 
> (cherry picked from commit 0f22072ab50cac7983f9660d33974b45184da4f9)
> CVE-2011-1759
> BugLink: http://bugs.launchpad.net/bugs/925373
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  arch/arm/kernel/sys_oabi-compat.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
> index d59a0cd..897b879 100644
> --- a/arch/arm/kernel/sys_oabi-compat.c
> +++ b/arch/arm/kernel/sys_oabi-compat.c
> @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
>  	long err;
>  	int i;
>  
> -	if (nsops < 1)
> +	if (nsops < 1 || nsops > SEMOPM)
>  		return -EINVAL;
>  	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
>  	if (!sops)
> -- 
> 1.7.8.3
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

Patch

diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index d59a0cd..897b879 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -311,7 +311,7 @@  asmlinkage long sys_oabi_semtimedop(int semid,
 	long err;
 	int i;
 
-	if (nsops < 1)
+	if (nsops < 1 || nsops > SEMOPM)
 		return -EINVAL;
 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
 	if (!sops)