Re: [PATCH RFC v3 4/7] epoll: Add implementation for epoll_ctl_batch

From: Fam Zheng
Date: Sun Feb 15 2015 - 00:32:03 EST

Next message: Raghavendra K T: "Re: [PATCH V4] x86 spinlock: Fix memory corruption on completing completions"
Previous message: Michael S. Tsirkin: "[PATCH 1/2] virtio_pci_modern: type-safe io accessors"
In reply to: Dan Rosenberg: "Re: [PATCH RFC v3 4/7] epoll: Add implementation for epoll_ctl_batch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 02/13 19:06, Dan Rosenberg wrote:
>
> > + if (ncmds <= 0 || !cmds)
> > + return -EINVAL;
> > + cmd_size = sizeof(struct epoll_ctl_cmd) * ncmds;
> > + kcmds = kmalloc(cmd_size, GFP_KERNEL);
> You should probably fix the integer overflow in the calculation of the
> cmd_size variable, unless you like root vulnerabilities.
>

Thanks! In the case of multiply overflow, we allocate a buffer that is smaller
than we think, and consequent writings will corrupt kernel memory after it.
That is the root vulnerabilities here. Will fix!

Fam
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Raghavendra K T: "Re: [PATCH V4] x86 spinlock: Fix memory corruption on completing completions"
Previous message: Michael S. Tsirkin: "[PATCH 1/2] virtio_pci_modern: type-safe io accessors"
In reply to: Dan Rosenberg: "Re: [PATCH RFC v3 4/7] epoll: Add implementation for epoll_ctl_batch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]