summaryrefslogtreecommitdiff
path: root/kernel/perf_counter.c
diff options
context:
space:
mode:
authorXiao Guangrong <xiaoguangrong@cn.fujitsu.com>2009-09-15 14:44:36 +0800
committerIngo Molnar <mingo@elte.hu>2009-09-15 09:53:31 +0200
commitb3e62e35058fc744ac794611f4e79bcd1c5a4b83 (patch)
tree797092fc19f9af8b6e5242c1987137dd362f51bc /kernel/perf_counter.c
parent74fca6a42863ffacaf7ba6f1936a9f228950f657 (diff)
downloadlwn-b3e62e35058fc744ac794611f4e79bcd1c5a4b83.tar.gz
lwn-b3e62e35058fc744ac794611f4e79bcd1c5a4b83.zip
perf_counter: Fix buffer overflow in perf_copy_attr()
If we pass a big size data over perf_counter_open() syscall, the kernel will copy this data to a small buffer, it will cause kernel crash. This bug makes the kernel unsafe and non-root local user can trigger it. Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Acked-by: Paul Mackerras <paulus@samba.org> Cc: <stable@kernel.org> LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Diffstat (limited to 'kernel/perf_counter.c')
-rw-r--r--kernel/perf_counter.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index d7cbc579fc80..a67a1dc3cfa3 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);