mips: sched: Fix CPUMASK_OFFSTACK memory corruption

This patch addresses a critical memory management flaw. When
CONFIG_CPUMASK_OFFSTACK is enabled, cpumask_var_t is a pointer.
Consequently, sizeof(new_mask) evaluates to the pointer size, causing
copy_from_user() to clobber the mask pointer. Furthermore, the old
logic performed copy_from_user() before allocating the mask.

Fix this by allocating new_mask first. To handle variable-sized user
masks correctly, use cpumask_size() to truncate overly large user masks
or pad undersized masks with zeros before copying the data directly into
the allocated buffer.

Fixes: 295cbf6d63165 ("[MIPS] Move FPU affinity code into separate file.")
Cc: stable@vger.kernel.org
Signed-off-by: Aaron Tomlin <atomlin@atomlin.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>

diff --git a/arch/mips/kernel/mips-mt-fpaff.c b/arch/mips/kernel/mips-mt-fpaff.c
index 10172fc4f627b8039a6d60b844063114ef7c1e94..4fead87d2f43306eda84108c95e4911d2040c1c2 100644 (file)
--- a/arch/mips/kernel/mips-mt-fpaff.c
+++ b/arch/mips/kernel/mips-mt-fpaff.c
@@ -71,11 +71,16 @@ asmlinkage long mipsmt_sys_sched_setaffinity(pid_t pid, unsigned int len,
        struct task_struct *p;
        int retval;
 
-       if (len < sizeof(new_mask))
-               return -EINVAL;
-
-       if (copy_from_user(&new_mask, user_mask_ptr, sizeof(new_mask)))
-               return -EFAULT;
+       if (!alloc_cpumask_var(&new_mask, GFP_KERNEL))
+               return -ENOMEM;
+       if (len < cpumask_size())
+               cpumask_clear(new_mask);
+       else if (len > cpumask_size())
+               len = cpumask_size();
+       if (copy_from_user(new_mask, user_mask_ptr, len)) {
+               retval = -EFAULT;
+               goto out_free_new_mask;
+       }
 
        cpus_read_lock();
        rcu_read_lock();
@@ -84,7 +89,8 @@ asmlinkage long mipsmt_sys_sched_setaffinity(pid_t pid, unsigned int len,
        if (!p) {
                rcu_read_unlock();
                cpus_read_unlock();
-               return -ESRCH;
+               retval = -ESRCH;
+               goto out_free_new_mask;
        }
 
        /* Prevent p going away */
@@ -95,13 +101,9 @@ asmlinkage long mipsmt_sys_sched_setaffinity(pid_t pid, unsigned int len,
                retval = -ENOMEM;
                goto out_put_task;
        }
-       if (!alloc_cpumask_var(&new_mask, GFP_KERNEL)) {
-               retval = -ENOMEM;
-               goto out_free_cpus_allowed;
-       }
        if (!alloc_cpumask_var(&effective_mask, GFP_KERNEL)) {
                retval = -ENOMEM;
-               goto out_free_new_mask;
+               goto out_free_cpus_allowed;
        }
        if (!check_same_owner(p) && !capable(CAP_SYS_NICE)) {
                retval = -EPERM;
@@ -142,13 +144,13 @@ asmlinkage long mipsmt_sys_sched_setaffinity(pid_t pid, unsigned int len,
        }
 out_unlock:
        free_cpumask_var(effective_mask);
-out_free_new_mask:
-       free_cpumask_var(new_mask);
 out_free_cpus_allowed:
        free_cpumask_var(cpus_allowed);
 out_put_task:
        put_task_struct(p);
        cpus_read_unlock();
+out_free_new_mask:
+       free_cpumask_var(new_mask);
        return retval;
 }