perf_counter: Fix buffer overflow in perf_copy_attr() · b3e62e3505 - Gogs

perf_counter: Fix buffer overflow in perf_copy_attr()

If we pass a big size data over perf_counter_open() syscall,
the kernel will copy this data to a small buffer, it will
cause kernel crash.

This bug makes the kernel unsafe and non-root local user can
trigger it.

Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

Xiao Guangrong 16 years ago

parent

74fca6a428

commit

b3e62e3505

1 changed files with 1 additions and 0 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 0
						
kernel/perf_counter.c
							 
								View File
							
				@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
			
				 			if (val)
			
				 				goto err_size;
			
				 		}
			
				+		size = sizeof(*attr);
			
				 	}
			
				 	ret = copy_from_user(attr, uattr, size);