From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Date: Tue, 15 Sep 2009 06:44:36 +0000 (+0800)
Subject: perf_counter: Fix buffer overflow in perf_copy_attr()
X-Git-Tag: 2.1b_release~11452^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b3e62e35058fc744ac794611f4e79bcd1c5a4b83;p=platform%2Fkernel%2Fkernel-mfld-blackbay.git

perf_counter: Fix buffer overflow in perf_copy_attr()

If we pass a big size data over perf_counter_open() syscall,
the kernel will copy this data to a small buffer, it will
cause kernel crash.

This bug makes the kernel unsafe and non-root local user can
trigger it.

Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---

diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index d7cbc57..a67a1dc 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
 			if (val)
 				goto err_size;
 		}
+		size = sizeof(*attr);
 	}
 
 	ret = copy_from_user(attr, uattr, size);