This is a note to let you know that I've just added the patch titled
ARM: 6891/1: prevent heap corruption in OABI semtimedop
to the 2.6.38-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch
and it can be found in the queue-2.6.38 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 0f22072ab50cac7983f9660d33974b45184da4f9 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <[email protected]>
Date: Fri, 29 Apr 2011 15:48:07 +0100
Subject: ARM: 6891/1: prevent heap corruption in OABI semtimedop
From: Dan Rosenberg <[email protected]>
commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream.
When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
bound the nsops argument. A sufficiently large value will cause an
integer overflow in allocation size, followed by copying too much data
into the allocated buffer. Fix this by restricting nsops to SEMOPM.
Untested.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: Russell King <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm/kernel/sys_oabi-compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int
long err;
int i;
- if (nsops < 1)
+ if (nsops < 1 || nsops > SEMOPM)
return -EINVAL;
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
if (!sops)
Patches currently in stable-queue which might be from [email protected]
are
queue-2.6.38/arm-6891-1-prevent-heap-corruption-in-oabi-semtimedop.patch
queue-2.6.38/pmcraid-reject-negative-request-size.patch
queue-2.6.38/mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
