mirror of https://gitee.com/openkylin/linux.git
ARM: 6891/1: prevent heap corruption in OABI semtimedop
When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not bound the nsops argument. A sufficiently large value will cause an integer overflow in allocation size, followed by copying too much data into the allocated buffer. Fix this by restricting nsops to SEMOPM. Untested. Cc: stable@kernel.org Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This commit is contained in:
parent
408133e9dc
commit
0f22072ab5
|
@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
|
|||
long err;
|
||||
int i;
|
||||
|
||||
if (nsops < 1)
|
||||
if (nsops < 1 || nsops > SEMOPM)
|
||||
return -EINVAL;
|
||||
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
|
||||
if (!sops)
|
||||
|
|
Loading…
Reference in New Issue