From patchwork Wed May 18 21:16:48 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [CVE-2011-1593, Hardy, 2/2] proc: do proper range check on readdir offset, CVE-2011-1593 Date: Wed, 18 May 2011 11:16:48 -0000 From: Herton Ronaldo Krzesinski X-Patchwork-Id: 96250 Message-Id: <1305753408-6848-3-git-send-email-herton.krzesinski@canonical.com> To: kernel-team@lists.ubuntu.com From: Linus Torvalds CVE-2011-1593 BugLink: https://bugs.launchpad.net/bugs/784727 Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12, 2.6.35.13, 2.6.38.4 Rather than pass in some random truncated offset to the pid-related functions, check that the offset is in range up-front. This is just cleanup, the previous commit fixed the real problem. Cc: stable@kernel.org Signed-off-by: Linus Torvalds (cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream) Signed-off-by: Herton Ronaldo Krzesinski Acked-by: Brad Figg Acked-by: John Johansen --- fs/proc/base.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 1898c49..a91dc82 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi /* for the /proc/ directory itself, after non-process stuff has been done */ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) { - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); + unsigned int nr; + struct task_struct *reaper; struct tgid_iter iter; struct pid_namespace *ns; + if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET) + goto out_no_task; + nr = filp->f_pos - FIRST_PROCESS_ENTRY; + + reaper = get_proc_task(filp->f_path.dentry->d_inode); if (!reaper) goto out_no_task;