From: Xiao Guangrong Date: Tue, 15 Sep 2009 06:44:36 +0000 (+0800) Subject: perf_counter: Fix buffer overflow in perf_copy_attr() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b3e62e35058fc744ac794611f4e79bcd1c5a4b83;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git perf_counter: Fix buffer overflow in perf_copy_attr() If we pass a big size data over perf_counter_open() syscall, the kernel will copy this data to a small buffer, it will cause kernel crash. This bug makes the kernel unsafe and non-root local user can trigger it. Signed-off-by: Xiao Guangrong Acked-by: Peter Zijlstra Acked-by: Paul Mackerras Cc: LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com> Signed-off-by: Ingo Molnar --- diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c index d7cbc579fc80..a67a1dc3cfa3 100644 --- a/kernel/perf_counter.c +++ b/kernel/perf_counter.c @@ -4171,6 +4171,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr, if (val) goto err_size; } + size = sizeof(*attr); } ret = copy_from_user(attr, uattr, size);