| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jul 2016 17:42:21 -0700 From: William Tu <u9012063@...il.com> To: netdev@...r.kernel.org Subject: [PATCH] bpf: fix size of copy_to_user in percpu map. The total size of value copy_to_user() writes to userspace should be the (current number of cpu) * (value size), instead of num_possible_cpus() * (value size). Found by samples/bpf/test_maps.c, which always copies 512 byte to userspace, crashing the userspace program stack. Signed-off-by: William Tu <u9012063@...il.com> --- kernel/bpf/syscall.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 228f962..47f738e 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -324,7 +324,8 @@ static int map_lookup_elem(union bpf_attr *attr) goto free_value; err = -EFAULT; - if (copy_to_user(uvalue, value, value_size) != 0) + if (copy_to_user(uvalue, value, + map->value_size * num_online_cpus()) != 0) goto free_value; err = 0; -- 2.5.0
Powered by blists - more mailing lists