diff options
Diffstat (limited to 'releases/2.6.32.58/relay-prevent-integer-overflow-in-relay_open.patch')
-rw-r--r-- | releases/2.6.32.58/relay-prevent-integer-overflow-in-relay_open.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/releases/2.6.32.58/relay-prevent-integer-overflow-in-relay_open.patch b/releases/2.6.32.58/relay-prevent-integer-overflow-in-relay_open.patch new file mode 100644 index 0000000..2e9f446 --- /dev/null +++ b/releases/2.6.32.58/relay-prevent-integer-overflow-in-relay_open.patch @@ -0,0 +1,48 @@ +From f6302f1bcd75a042df69866d98b8d775a668f8f1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 10 Feb 2012 09:03:58 +0100 +Subject: relay: prevent integer overflow in relay_open() + +From: Dan Carpenter <dan.carpenter@oracle.com> + +commit f6302f1bcd75a042df69866d98b8d775a668f8f1 upstream. + +"subbuf_size" and "n_subbufs" come from the user and they need to be +capped to prevent an integer overflow. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + kernel/relay.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -171,10 +171,14 @@ depopulate: + */ + static struct rchan_buf *relay_create_buf(struct rchan *chan) + { +- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); +- if (!buf) ++ struct rchan_buf *buf; ++ ++ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) + return NULL; + ++ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); ++ if (!buf) ++ return NULL; + buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL); + if (!buf->padding) + goto free_buf; +@@ -581,6 +585,8 @@ struct rchan *relay_open(const char *bas + + if (!(subbuf_size && n_subbufs)) + return NULL; ++ if (subbuf_size > UINT_MAX / n_subbufs) ++ return NULL; + + chan = kzalloc(sizeof(struct rchan), GFP_KERNEL); + if (!chan) |