| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 Aug 2012 02:05:53 -0400
From: Xi Wang <xi.wang@...il.com>
To: netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
Xi Wang <xi.wang@...il.com>, Eric Dumazet <edumazet@...gle.com>
Subject: [PATCH] af_unix: fix unix_nr_socks check in unix_create1()
This patch complements 518de9b3 ("fs: allow for more than 2^31 files").
get_max_files() returns files_stat.max_files, which can be set to any
value from user space via /proc/sys/fs/file-max. A large file-max will
cause an integer overflow in the following check:
if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())
goto out;
The kernel will then fail to create a unix domain socket.
Rewrite the check using "/ 2" on the left-hand side.
Signed-off-by: Xi Wang <xi.wang@...il.com>
Cc: Eric Dumazet <edumazet@...gle.com>
---
net/unix/af_unix.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index c5ee4ff..99a8bc9 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -630,9 +630,9 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
{
struct sock *sk = NULL;
struct unix_sock *u;
+ unsigned long nr_socks = atomic_long_inc_return(&unix_nr_socks);
- atomic_long_inc(&unix_nr_socks);
- if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())
+ if (nr_socks / 2 > get_max_files())
goto out;
sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto);
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists