Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1030482AbbEEFiy (ORCPT <rfc822;w@1wt.eu>);
	Tue, 5 May 2015 01:38:54 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59388 "EHLO
	out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1030464AbbEEFij (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 5 May 2015 01:38:39 -0400
X-Sasl-enc: ZulnYGVQhTsZXoAP/DlofQB1tcFNEzszOb0mCWi5lsIc 1430804315
Message-ID: <1430804310.2936.1.camel@pluto.fritz.box>
Subject: Re: [PATCH 3.2 059/221] autofs4: check dev ioctl size before
 allocating
From: Ian Kent <raven@themaw.net>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        akpm@linux-foundation.org, Sasha Levin <sasha.levin@oracle.com>,
        Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 05 May 2015 13:38:30 +0800
In-Reply-To: <lsq.1430788599.129920514@decadent.org.uk>
References: <lsq.1430788599.129920514@decadent.org.uk>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.10.4 (3.10.4-4.fc20) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1482
Lines: 48

On Tue, 2015-05-05 at 02:16 +0100, Ben Hutchings wrote:
> 3.2.69-rc1 review patch.  If anyone has any objections, please let me know.

Perhaps you should also consider including commit 0a280962 along with
this one.

> 
> ------------------
> 
> From: Sasha Levin <sasha.levin@oracle.com>
> 
> commit e53d77eb8bb616e903e34cc7a918401bee3b5149 upstream.
> 
> There wasn't any check of the size passed from userspace before trying
> to allocate the memory required.
> 
> This meant that userspace might request more space than allowed,
> triggering an OOM.
> 
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> Signed-off-by: Ian Kent <raven@themaw.net>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  fs/autofs4/dev-ioctl.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> --- a/fs/autofs4/dev-ioctl.c
> +++ b/fs/autofs4/dev-ioctl.c
> @@ -103,6 +103,9 @@ static struct autofs_dev_ioctl *copy_dev
>  	if (tmp.size < sizeof(tmp))
>  		return ERR_PTR(-EINVAL);
>  
> +	if (tmp.size > (PATH_MAX + sizeof(tmp)))
> +		return ERR_PTR(-ENAMETOOLONG);
> +
>  	return memdup_user(in, tmp.size);
>  }
>  
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/