diff mbox series

perf/core: Fix the perf_cpu_time_max_percent check

Message ID 20180720161101.19278-2-colin.king@canonical.com
State New
Headers show
Series perf/core: Fix the perf_cpu_time_max_percent check | expand

Commit Message

Colin Ian King July 20, 2018, 4:11 p.m. UTC 
From: Tan Xiaojun <tanxiaojun@huawei.com>

CVE-2017-18255

Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
value from user-space.

If not, we can set a big value and some vars will overflow like
"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
problems.

Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <acme@kernel.org>
Cc: <alexander.shishkin@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(clean upstream cherry pick of commit 1572e45a924f254d9570093abde46430c3172e3d)
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 kernel/events/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stefan Bader July 23, 2018, 1:02 p.m. UTC | #1 
On 20.07.2018 18:11, Colin King wrote:
> From: Tan Xiaojun <tanxiaojun@huawei.com>
> 
> CVE-2017-18255
> 
> Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
> value from user-space.
> 
> If not, we can set a big value and some vars will overflow like
> "sysctl_perf_event_sample_rate" which will cause a lot of unexpected
> problems.
> 
> Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Cc: <acme@kernel.org>
> Cc: <alexander.shishkin@linux.intel.com>
> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Jiri Olsa <jolsa@redhat.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Stephane Eranian <eranian@google.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Vince Weaver <vincent.weaver@maine.edu>
> Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
> Signed-off-by: Ingo Molnar <mingo@kernel.org>
> (clean upstream cherry pick of commit 1572e45a924f254d9570093abde46430c3172e3d)
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

-> (cherry picked from commit 1572e45a924f254d9570093abde46430c3172e3d)

>  kernel/events/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index d4e3f8d..c1c1cdf 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -455,7 +455,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
>  				void __user *buffer, size_t *lenp,
>  				loff_t *ppos)
>  {
> -	int ret = proc_dointvec(table, write, buffer, lenp, ppos);
> +	int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
>  
>  	if (ret || !write)
>  		return ret;
>
Kleber Sacilotto de Souza July 23, 2018, 2:54 p.m. UTC | #2 
On 07/20/18 18:11, Colin King wrote:
> From: Tan Xiaojun <tanxiaojun@huawei.com>
> 
> CVE-2017-18255
> 
> Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
> value from user-space.
> 
> If not, we can set a big value and some vars will overflow like
> "sysctl_perf_event_sample_rate" which will cause a lot of unexpected
> problems.
> 
> Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Cc: <acme@kernel.org>
> Cc: <alexander.shishkin@linux.intel.com>
> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Jiri Olsa <jolsa@redhat.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Stephane Eranian <eranian@google.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Vince Weaver <vincent.weaver@maine.edu>
> Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
> Signed-off-by: Ingo Molnar <mingo@kernel.org>
> (clean upstream cherry pick of commit 1572e45a924f254d9570093abde46430c3172e3d)
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  kernel/events/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index d4e3f8d..c1c1cdf 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -455,7 +455,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
>  				void __user *buffer, size_t *lenp,
>  				loff_t *ppos)
>  {
> -	int ret = proc_dointvec(table, write, buffer, lenp, ppos);
> +	int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
>  
>  	if (ret || !write)
>  		return ret;
>
diff mbox series

Patch

diff --git a/kernel/events/core.c b/kernel/events/core.c
index d4e3f8d..c1c1cdf 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -455,7 +455,7 @@  int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp,
 				loff_t *ppos)
 {
-	int ret = proc_dointvec(table, write, buffer, lenp, ppos);
+	int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
 
 	if (ret || !write)
 		return ret;