forked from luck/tmp_suning_uos_patched
perf_counter: Fix buffer overflow in perf_copy_attr()
If we pass a big size data over perf_counter_open() syscall, the kernel will copy this data to a small buffer, it will cause kernel crash. This bug makes the kernel unsafe and non-root local user can trigger it. Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Acked-by: Paul Mackerras <paulus@samba.org> Cc: <stable@kernel.org> LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
This commit is contained in:
parent
74fca6a428
commit
b3e62e3505
@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
|
|||||||
if (val)
|
if (val)
|
||||||
goto err_size;
|
goto err_size;
|
||||||
}
|
}
|
||||||
|
size = sizeof(*attr);
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = copy_from_user(attr, uattr, size);
|
ret = copy_from_user(attr, uattr, size);
|
||||||
|
Loading…
Reference in New Issue
Block a user