]>
Commit | Line | Data |
---|---|---|
1b1a3408 GKH |
1 | From 7de249964f5578e67b99699c5f0b405738d820a2 Mon Sep 17 00:00:00 2001 |
2 | From: Dave Weinstein <olorin@google.com> | |
3 | Date: Thu, 28 Jul 2016 11:55:41 -0700 | |
4 | Subject: arm: oabi compat: add missing access checks | |
5 | ||
6 | From: Dave Weinstein <olorin@google.com> | |
7 | ||
8 | commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream. | |
9 | ||
10 | Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop(). | |
11 | This fixes CVE-2016-3857, a local privilege escalation under | |
12 | CONFIG_OABI_COMPAT. | |
13 | ||
14 | Reported-by: Chiachih Wu <wuchiachih@gmail.com> | |
15 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
16 | Reviewed-by: Nicolas Pitre <nico@linaro.org> | |
17 | Signed-off-by: Dave Weinstein <olorin@google.com> | |
18 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
20 | ||
21 | --- | |
22 | arch/arm/kernel/sys_oabi-compat.c | 8 +++++++- | |
23 | 1 file changed, 7 insertions(+), 1 deletion(-) | |
24 | ||
25 | --- a/arch/arm/kernel/sys_oabi-compat.c | |
26 | +++ b/arch/arm/kernel/sys_oabi-compat.c | |
27 | @@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int | |
28 | mm_segment_t fs; | |
29 | long ret, err, i; | |
30 | ||
31 | - if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) | |
32 | + if (maxevents <= 0 || | |
33 | + maxevents > (INT_MAX/sizeof(*kbuf)) || | |
34 | + maxevents > (INT_MAX/sizeof(*events))) | |
35 | return -EINVAL; | |
36 | + if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) | |
37 | + return -EFAULT; | |
38 | kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); | |
39 | if (!kbuf) | |
40 | return -ENOMEM; | |
41 | @@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int | |
42 | ||
43 | if (nsops < 1 || nsops > SEMOPM) | |
44 | return -EINVAL; | |
45 | + if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) | |
46 | + return -EFAULT; | |
47 | sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); | |
48 | if (!sops) | |
49 | return -ENOMEM; |