ARM: 6891/1: prevent heap corruption in OABI semtimedop
When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not bound the nsops argument. A sufficiently large value will cause an integer overflow in allocation size, followed by copying too much data into the allocated buffer. Fix this by restricting nsops to SEMOPM. Untested. Cc: stable@kernel.org Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This commit is contained in:
parent
408133e9dc
commit
0f22072ab5
|
@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
|
||||||
long err;
|
long err;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (nsops < 1)
|
if (nsops < 1 || nsops > SEMOPM)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
|
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
|
||||||
if (!sops)
|
if (!sops)
|
||||||
|
|
Reference in New Issue