]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
s390/monwriter: Reject buffer reuse with different data length
authorGerald Schaefer <gerald.schaefer@linux.ibm.com>
Tue, 23 Jun 2026 17:44:06 +0000 (19:44 +0200)
committerVasily Gorbik <gor@linux.ibm.com>
Thu, 2 Jul 2026 14:51:06 +0000 (16:51 +0200)
When data buffers are reused, e.g. for interval sample records, the
first record determines the data length, and the size of the buffer for
user copy. Current monwriter code does not check if the data length was
changed for subsequent records, which also would never happen for valid
user programs.

However, a malicious user could change the data length, resulting in out
of bounds user copy to the kernel buffer, and memory corruption. By
default, the monwriter misc device is created with root-only permissions,
so practical impact is typically low.

Fix this by checking for changed data length and rejecting such records.

Cc: stable@vger.kernel.org
Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
drivers/s390/char/monwriter.c

index eaeb4a6384d1ffa38fb948a08586f723576736fd..ecf121a87f88fa3f2aac2b01a046a1fe2dc7bdf3 100644 (file)
@@ -122,6 +122,9 @@ static int monwrite_new_hdr(struct mon_private *monpriv)
                        kfree(monbuf->data);
                        kfree(monbuf);
                        monbuf = NULL;
+               } else if (monbuf->hdr.datalen != monhdr->datalen) {
+                       /* Data with buffer reuse must not change its length */
+                       return -EINVAL;
                }
        } else if (monhdr->mon_function != MONWRITE_STOP_INTERVAL) {
                if (mon_buf_count >= mon_max_bufs)