diff options
| author | Jonathan Corbet <corbet@lwn.net> | 2008-02-17 18:18:36 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-02-25 15:59:21 -0800 |
| commit | 07a854c8eeb63498124ea760dc1ffa4335627f75 (patch) | |
| tree | 5150285d5465f247c0ba59d7b64e131758e7b936 /include/linux/sysdev.h | |
| parent | 7d495f4f808c8625900d9e52cb531992b350458d (diff) | |
Be more robust about bad arguments in get_user_pages()
MAINLINE: 900cf086fd2fbad07f72f4575449e0d0958f860f
So I spent a while pounding my head against my monitor trying to figure
out the vmsplice() vulnerability - how could a failure to check for
*read* access turn into a root exploit? It turns out that it's a buffer
overflow problem which is made easy by the way get_user_pages() is
coded.
In particular, "len" is a signed int, and it is only checked at the
*end* of a do {} while() loop. So, if it is passed in as zero, the loop
will execute once and decrement len to -1. At that point, the loop will
proceed until the next invalid address is found; in the process, it will
likely overflow the pages array passed in to get_user_pages().
I think that, if get_user_pages() has been asked to grab zero pages,
that's what it should do. Thus this patch; it is, among other things,
enough to block the (already fixed) root exploit and any others which
might be lurking in similar code. I also think that the number of pages
should be unsigned, but changing the prototype of this function probably
requires some more careful review.
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
CC: Oliver Pinter <oliver.pntr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/linux/sysdev.h')
0 files changed, 0 insertions, 0 deletions