| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1507296994-175620-2-git-send-email-luis.felipe.sandoval.castro@intel.com>
Date: Fri, 6 Oct 2017 08:36:34 -0500
From: Luis Felipe Sandoval Castro
<luis.felipe.sandoval.castro@...el.com>
To: linux-mm@...ck.org, linux-kernel@...r.kernel.org
Cc: akpm@...ux-foundation.org, vbabka@...e.cz, mhocko@...e.com,
mingo@...nel.org, rientjes@...gle.com, n-horiguchi@...jp.nec.com,
salls@...ucsb.edu,
Luis Felipe Sandoval Castro
<luis.felipe.sandoval.castro@...el.com>
Subject: [PATCH v1] mm/mempolicy.c: Fix get_nodes() off-by-one error.
set_mempolicy() and mbind() take as argument a pointer to a bit mask
(nodemask) and the number of bits in the mask the kernel will use
(maxnode), among others. For instace on a system with 2 NUMA nodes valid
masks are: 0b00, 0b01, 0b10 and 0b11 it's clear maxnode=2, however an
off-by-one error in get_nodes() the function that copies the node mask from
user space requires users to pass maxnode = 3 in this example and maxnode =
actual_maxnode + 1 in the general case. This patch fixes such error.
Signed-off-by: Luis Felipe Sandoval Castro <luis.felipe.sandoval.castro@...el.com>
---
mm/mempolicy.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 006ba62..0c2e3cd 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1265,11 +1265,10 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask,
unsigned long nlongs;
unsigned long endmask;
- --maxnode;
nodes_clear(*nodes);
- if (maxnode == 0 || !nmask)
+ if (maxnode == 1 || !nmask)
return 0;
- if (maxnode > PAGE_SIZE*BITS_PER_BYTE)
+ if (maxnode - 1 > PAGE_SIZE * BITS_PER_BYTE)
return -EINVAL;
nlongs = BITS_TO_LONGS(maxnode);
--
1.8.3.1
Powered by blists - more mailing lists