| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4AAF37D4.5010706@cn.fujitsu.com> Date: Tue, 15 Sep 2009 14:44:36 +0800 From: Xiao Guangrong <xiaoguangrong@...fujitsu.com> To: Ingo Molnar <mingo@...e.hu> CC: Peter Zijlstra <peterz@...radead.org>, Paul Mackerras <paulus@...ba.org>, LKML <linux-kernel@...r.kernel.org> Subject: [PATCH] perf_counter: fix buffer overflow in perf_copy_attr() If we pass a big size data over perf_counter_open syscall, the kernel will copy this data to a small buffer, It will cause kernel crash. This bug make kernel unsafe and no-root user can trigger it. Signed-off-by: Xiao Guangrong <xiaoguangrong@...fujitsu.com> --- kernel/perf_counter.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c index 667ab25..75c46c0 100644 --- a/kernel/perf_counter.c +++ b/kernel/perf_counter.c @@ -4216,6 +4216,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr, if (val) goto err_size; } + size = sizeof(*attr); } ret = copy_from_user(attr, uattr, size); -- 1.6.1.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists