Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754460AbbBOFb7 (ORCPT <rfc822;w@1wt.eu>);
	Sun, 15 Feb 2015 00:31:59 -0500
Received: from mx1.redhat.com ([209.132.183.28]:54757 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752978AbbBOFb5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sun, 15 Feb 2015 00:31:57 -0500
Date: Sun, 15 Feb 2015 13:31:51 +0800
From: Fam Zheng <famz@redhat.com>
To: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC v3 4/7] epoll: Add implementation for epoll_ctl_batch
Message-ID: <20150215053151.GA6093@fam-t430.nay.redhat.com>
References: <54DE71E4.6070304@gmail.com>
 <54DE9179.6080401@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <54DE9179.6080401@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 789
Lines: 20

On Fri, 02/13 19:06, Dan Rosenberg wrote:
> 
> > +	if (ncmds <= 0 || !cmds)
> > +		return -EINVAL;
> > +	cmd_size = sizeof(struct epoll_ctl_cmd) * ncmds;
> > +	kcmds = kmalloc(cmd_size, GFP_KERNEL);
> You should probably fix the integer overflow in the calculation of the
> cmd_size variable, unless you like root vulnerabilities.
> 

Thanks! In the case of multiply overflow, we allocate a buffer that is smaller
than we think, and consequent writings will corrupt kernel memory after it.
That is the root vulnerabilities here. Will fix!

Fam
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/