perf_counter: Fix buffer overflow in perf_copy_attr()

commit b3e62e35058fc744ac794611f4e79bcd1c5a4b83 upstream. If we pass a big size data over perf_counter_open() syscall, the kernel will copy this data to a small buffer, it will cause kernel crash. This bug makes the kernel unsafe and non-root local user can trigger it. Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Acked-by: Paul Mackerras <paulus@samba.org> LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> 2009-09-15 14:44:36 +0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2009-09-24 08:43:54 -0700
commit: 986ddf533c1dd6852196182084aefe1ca9eda34e (patch)
tree: 4f0629b16099a3659c6ea816d29166f9d50a63e5 /kernel
parent: cb0365c9e045c09a92363d0e52b7cdaf18ce7f54 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index d7cbc579fc80..a67a1dc3cfa3 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
 			if (val)
 				goto err_size;
 		}
+		size = sizeof(*attr);
 	}
 
 	ret = copy_from_user(attr, uattr, size);
author	Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>	2009-09-15 14:44:36 +0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2009-09-24 08:43:54 -0700
commit	986ddf533c1dd6852196182084aefe1ca9eda34e (patch)
tree	4f0629b16099a3659c6ea816d29166f9d50a63e5 /kernel
parent	cb0365c9e045c09a92363d0e52b7cdaf18ce7f54 (diff)