diff options
| author | Gerald Schaefer <gerald.schaefer@linux.ibm.com> | 2026-06-23 19:44:06 +0200 |
|---|---|---|
| committer | Vasily Gorbik <gor@linux.ibm.com> | 2026-07-02 16:51:06 +0200 |
| commit | 2995ccec260caa9e85b3301a4aba1e66ed80ad74 (patch) | |
| tree | 582428b3465626f8e8b84d6749441175681feb94 /tools/testing | |
| parent | 754e9e49b76fd5be339172aa98544182ed3ca75e (diff) | |
| download | lwn-2995ccec260caa9e85b3301a4aba1e66ed80ad74.tar.gz lwn-2995ccec260caa9e85b3301a4aba1e66ed80ad74.zip | |
s390/monwriter: Reject buffer reuse with different data length
When data buffers are reused, e.g. for interval sample records, the
first record determines the data length, and the size of the buffer for
user copy. Current monwriter code does not check if the data length was
changed for subsequent records, which also would never happen for valid
user programs.
However, a malicious user could change the data length, resulting in out
of bounds user copy to the kernel buffer, and memory corruption. By
default, the monwriter misc device is created with root-only permissions,
so practical impact is typically low.
Fix this by checking for changed data length and rejecting such records.
Cc: stable@vger.kernel.org
Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Diffstat (limited to 'tools/testing')
0 files changed, 0 insertions, 0 deletions
