Skip to content

Commit

Permalink
perf_counter: Fix buffer overflow in perf_copy_attr()
Browse files Browse the repository at this point in the history 
If we pass a big size data over perf_counter_open() syscall,
the kernel will copy this data to a small buffer, it will
cause kernel crash.

This bug makes the kernel unsafe and non-root local user can
trigger it.

Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
  • Loading branch information
Xiao Guangrong authored and Ingo Molnar committed Sep 15, 2009
1 parent 74fca6a commit b3e62e3
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions kernel/perf_counter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
if (val)
goto err_size;
}
size = sizeof(*attr);
}

ret = copy_from_user(attr, uattr, size);
Expand Down

0 comments on commit b3e62e3

Please sign in to comment.