perf_counter: Fix buffer overflow in perf_copy_attr()
authorXiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Tue, 15 Sep 2009 06:44:36 +0000 (14:44 +0800)
committerIngo Molnar <mingo@elte.hu>
Tue, 15 Sep 2009 07:53:31 +0000 (09:53 +0200)
If we pass a big size data over perf_counter_open() syscall,
the kernel will copy this data to a small buffer, it will
cause kernel crash.

This bug makes the kernel unsafe and non-root local user can
trigger it.

Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
kernel/perf_counter.c

index d7cbc579fc8016603f0d0644c339a470224ad0b9..a67a1dc3cfa3858c0ca969d1feea2f5605fb331b 100644 (file)
@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
                        if (val)
                                goto err_size;
                }
+               size = sizeof(*attr);
        }
 
        ret = copy_from_user(attr, uattr, size);