On Thu, 2011-05-05 at 17:11 -0700, Greg KH wrote: > 2.6.38-stable review patch. If anyone has any objections, please let us know. > > ------------------ > > From: Dan Rosenberg <[email protected]> > > commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream. > > When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not > bound the nsops argument. A sufficiently large value will cause an > integer overflow in allocation size, followed by copying too much data > into the allocated buffer. Fix this by restricting nsops to SEMOPM. > Untested. > > Signed-off-by: Dan Rosenberg <[email protected]> > Signed-off-by: Russell King <[email protected]> > Signed-off-by: Greg Kroah-Hartman <[email protected]> > > --- > arch/arm/kernel/sys_oabi-compat.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- a/arch/arm/kernel/sys_oabi-compat.c > +++ b/arch/arm/kernel/sys_oabi-compat.c > @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int > long err; > int i; > > - if (nsops < 1) > + if (nsops < 1 || nsops > SEMOPM) > return -EINVAL;
It's not that important, but the manual page says the error code should E2BIG in the latter case. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
