diff options
Diffstat (limited to 'recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch')
-rw-r--r-- | recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch new file mode 100644 index 00000000..e6d6ac03 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From 636e8de47aae86650672a0065eb401e918544d34 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sasha Levin <levinsasha928@gmail.com> | ||
3 | Date: Thu, 5 Apr 2012 12:07:45 +0000 | ||
4 | Subject: [PATCH 064/165] phonet: Check input from user before allocating | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | [ Upstream commit bcf1b70ac6eb0ed8286c66e6bf37cb747cbaa04c ] | ||
10 | |||
11 | A phonet packet is limited to USHRT_MAX bytes, this is never checked during | ||
12 | tx which means that the user can specify any size he wishes, and the kernel | ||
13 | will attempt to allocate that size. | ||
14 | |||
15 | In the good case, it'll lead to the following warning, but it may also cause | ||
16 | the kernel to kick in the OOM and kill a random task on the server. | ||
17 | |||
18 | [ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730() | ||
19 | [ 8921.749770] Pid: 5081, comm: trinity Tainted: G W 3.4.0-rc1-next-20120402-sasha #46 | ||
20 | [ 8921.756672] Call Trace: | ||
21 | [ 8921.758185] [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0 | ||
22 | [ 8921.762868] [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20 | ||
23 | [ 8921.765399] [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730 | ||
24 | [ 8921.769226] [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20 | ||
25 | [ 8921.771686] [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660 | ||
26 | [ 8921.773919] [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240 | ||
27 | [ 8921.776248] [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0 | ||
28 | [ 8921.778294] [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0 | ||
29 | [ 8921.780847] [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260 | ||
30 | [ 8921.783179] [<ffffffff821b3c65>] __alloc_skb+0x75/0x170 | ||
31 | [ 8921.784971] [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260 | ||
32 | [ 8921.787111] [<ffffffff821b002e>] ? release_sock+0x7e/0x90 | ||
33 | [ 8921.788973] [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20 | ||
34 | [ 8921.791052] [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380 | ||
35 | [ 8921.792931] [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180 | ||
36 | [ 8921.794917] [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90 | ||
37 | [ 8921.797053] [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70 | ||
38 | [ 8921.798992] [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0 | ||
39 | [ 8921.801395] [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0 | ||
40 | [ 8921.803501] [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0 | ||
41 | [ 8921.805505] [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140 | ||
42 | [ 8921.807860] [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110 | ||
43 | [ 8921.809986] [<ffffffff811958e7>] ? might_fault+0x97/0xa0 | ||
44 | [ 8921.811998] [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90 | ||
45 | [ 8921.814595] [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0 | ||
46 | [ 8921.816702] [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200 | ||
47 | [ 8921.818819] [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50 | ||
48 | [ 8921.820863] [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0 | ||
49 | [ 8921.823318] [<ffffffff811e1926>] vfs_writev+0x46/0x60 | ||
50 | [ 8921.825219] [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0 | ||
51 | [ 8921.827127] [<ffffffff82658039>] system_call_fastpath+0x16/0x1b | ||
52 | [ 8921.829384] ---[ end trace dffe390f30db9eb7 ]--- | ||
53 | |||
54 | Signed-off-by: Sasha Levin <levinsasha928@gmail.com> | ||
55 | Acked-by: RĂ©mi Denis-Courmont <remi.denis-courmont@nokia.com> | ||
56 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
57 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
58 | --- | ||
59 | net/phonet/pep.c | 3 +++ | ||
60 | 1 files changed, 3 insertions(+), 0 deletions(-) | ||
61 | |||
62 | diff --git a/net/phonet/pep.c b/net/phonet/pep.c | ||
63 | index 2ba6e9f..007546d 100644 | ||
64 | --- a/net/phonet/pep.c | ||
65 | +++ b/net/phonet/pep.c | ||
66 | @@ -1046,6 +1046,9 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk, | ||
67 | int flags = msg->msg_flags; | ||
68 | int err, done; | ||
69 | |||
70 | + if (len > USHRT_MAX) | ||
71 | + return -EMSGSIZE; | ||
72 | + | ||
73 | if ((msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_NOSIGNAL| | ||
74 | MSG_CMSG_COMPAT)) || | ||
75 | !(msg->msg_flags & MSG_EOR)) | ||
76 | -- | ||
77 | 1.7.7.6 | ||
78 | |||