Message ID | 20180720161101.19278-2-colin.king@canonical.com |
---|---|
State | New |
Headers | show |
Series | perf/core: Fix the perf_cpu_time_max_percent check | expand |
On 20.07.2018 18:11, Colin King wrote: > From: Tan Xiaojun <tanxiaojun@huawei.com> > > CVE-2017-18255 > > Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input > value from user-space. > > If not, we can set a big value and some vars will overflow like > "sysctl_perf_event_sample_rate" which will cause a lot of unexpected > problems. > > Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com> > Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> > Cc: <acme@kernel.org> > Cc: <alexander.shishkin@linux.intel.com> > Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> > Cc: Arnaldo Carvalho de Melo <acme@redhat.com> > Cc: Jiri Olsa <jolsa@redhat.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Stephane Eranian <eranian@google.com> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Vince Weaver <vincent.weaver@maine.edu> > Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com > Signed-off-by: Ingo Molnar <mingo@kernel.org> > (clean upstream cherry pick of commit 1572e45a924f254d9570093abde46430c3172e3d) > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- -> (cherry picked from commit 1572e45a924f254d9570093abde46430c3172e3d) > kernel/events/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/events/core.c b/kernel/events/core.c > index d4e3f8d..c1c1cdf 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -455,7 +455,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, > void __user *buffer, size_t *lenp, > loff_t *ppos) > { > - int ret = proc_dointvec(table, write, buffer, lenp, ppos); > + int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); > > if (ret || !write) > return ret; >
On 07/20/18 18:11, Colin King wrote: > From: Tan Xiaojun <tanxiaojun@huawei.com> > > CVE-2017-18255 > > Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input > value from user-space. > > If not, we can set a big value and some vars will overflow like > "sysctl_perf_event_sample_rate" which will cause a lot of unexpected > problems. > > Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com> > Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> > Cc: <acme@kernel.org> > Cc: <alexander.shishkin@linux.intel.com> > Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> > Cc: Arnaldo Carvalho de Melo <acme@redhat.com> > Cc: Jiri Olsa <jolsa@redhat.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Stephane Eranian <eranian@google.com> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Vince Weaver <vincent.weaver@maine.edu> > Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com > Signed-off-by: Ingo Molnar <mingo@kernel.org> > (clean upstream cherry pick of commit 1572e45a924f254d9570093abde46430c3172e3d) > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > kernel/events/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/events/core.c b/kernel/events/core.c > index d4e3f8d..c1c1cdf 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -455,7 +455,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, > void __user *buffer, size_t *lenp, > loff_t *ppos) > { > - int ret = proc_dointvec(table, write, buffer, lenp, ppos); > + int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); > > if (ret || !write) > return ret; >
diff --git a/kernel/events/core.c b/kernel/events/core.c index d4e3f8d..c1c1cdf 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -455,7 +455,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - int ret = proc_dointvec(table, write, buffer, lenp, ppos); + int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); if (ret || !write) return ret;