Subject: Re: [PATCH] perf_counter: fix buffer overflow in perf_copy_attr()
From: Peter Zijlstra <peterz@infradead.org>
To: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Cc: Ingo Molnar <mingo@elte.hu>, Paul Mackerras <paulus@samba.org>,
       LKML <linux-kernel@vger.kernel.org>
In-Reply-To: <4AAF37D4.5010706@cn.fujitsu.com>
References: <4AAF37D4.5010706@cn.fujitsu.com>
Content-Type: text/plain
Date: Tue, 15 Sep 2009 09:40:14 +0200
Message-Id: <1253000414.5506.11.camel@laptop>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1110
Lines: 33

On Tue, 2009-09-15 at 14:44 +0800, Xiao Guangrong wrote:
> If we pass a big size data over perf_counter_open syscall, the kernel
> will copy this data to a small buffer, It will cause kernel crash.
> 
> This bug make kernel unsafe and no-root user can trigger it.

Ah, indeed. Thanks!

Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>

> Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
> ---
>  kernel/perf_counter.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
> index 667ab25..75c46c0 100644
> --- a/kernel/perf_counter.c
> +++ b/kernel/perf_counter.c
> @@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
>  			if (val)
>  				goto err_size;
>  		}
> +		size = sizeof(*attr);
>  	}
>  
>  	ret = copy_from_user(attr, uattr, size);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/