Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754460AbbBOFb7 (ORCPT ); Sun, 15 Feb 2015 00:31:59 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54757 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752978AbbBOFb5 (ORCPT ); Sun, 15 Feb 2015 00:31:57 -0500 Date: Sun, 15 Feb 2015 13:31:51 +0800 From: Fam Zheng To: Dan Rosenberg Cc: "linux-kernel@vger.kernel.org" Subject: Re: [PATCH RFC v3 4/7] epoll: Add implementation for epoll_ctl_batch Message-ID: <20150215053151.GA6093@fam-t430.nay.redhat.com> References: <54DE71E4.6070304@gmail.com> <54DE9179.6080401@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54DE9179.6080401@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 789 Lines: 20 On Fri, 02/13 19:06, Dan Rosenberg wrote: > > > + if (ncmds <= 0 || !cmds) > > + return -EINVAL; > > + cmd_size = sizeof(struct epoll_ctl_cmd) * ncmds; > > + kcmds = kmalloc(cmd_size, GFP_KERNEL); > You should probably fix the integer overflow in the calculation of the > cmd_size variable, unless you like root vulnerabilities. > Thanks! In the case of multiply overflow, we allocate a buffer that is smaller than we think, and consequent writings will corrupt kernel memory after it. That is the root vulnerabilities here. Will fix! Fam -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/