Skip to main content

Browse the archive

https://github.com/torvalds/linux
16 September 2024, 20:19:31 UTC
Revision c78193e9c7bcbf25b8237ad0dec82f805c4ea69b authored by Linus Torvalds on 18 April 2011, 17:35:30 UTC, committed by Linus Torvalds on 18 April 2011, 17:35:30 UTC 
next_pidmap: fix overflow condition
 
next_pidmap() just quietly accepted whatever 'last' pid that was passed
in, which is not all that safe when one of the users is /proc.

Admittedly the proc code should do some sanity checking on the range
(and that will be the next commit), but that doesn't mean that the
helper functions should just do that pidmap pointer arithmetic without
checking the range of its arguments.

So clamp 'last' to PID_MAX_LIMIT.  The fact that we then do "last+1"
doesn't really matter, the for-loop does check against the end of the
pidmap array properly (it's only the actual pointer arithmetic overflow
case we need to worry about, and going one bit beyond isn't going to
overflow).

[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]

Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Analyzed-by: Robert Święcki <robert@swiecki.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent a1b49cb
History
Tip revision: c78193e9c7bcbf25b8237ad0dec82f805c4ea69b authored by Linus Torvalds on 18 April 2011, 17:35:30 UTC
next_pidmap: fix overflow condition
Tip revision: c78193e
File Mode Size
Documentation
arch
block
crypto
drivers
firmware
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
security
sound
tools
usr
virt
.gitignore -rw-r--r-- 941 bytes
.mailmap -rw-r--r-- 4.1 KB
COPYING -rw-r--r-- 18.3 KB
CREDITS -rw-r--r-- 91.7 KB
Kbuild -rw-r--r-- 2.4 KB
Kconfig -rw-r--r-- 252 bytes
MAINTAINERS -rw-r--r-- 188.2 KB
Makefile -rw-r--r-- 51.1 KB
README -rw-r--r-- 17.1 KB
REPORTING-BUGS -rw-r--r-- 3.3 KB

README

back to top