git.karo-electronics.de Git - karo-tx-linux.git/commit

next_pidmap: fix overflow condition

commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream.

next_pidmap() just quietly accepted whatever 'last' pid that was passed
in, which is not all that safe when one of the users is /proc.

Admittedly the proc code should do some sanity checking on the range
(and that will be the next commit), but that doesn't mean that the
helper functions should just do that pidmap pointer arithmetic without
checking the range of its arguments.

So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1"
doesn't really matter, the for-loop does check against the end of the
pidmap array properly (it's only the actual pointer arithmetic overflow
case we need to worry about, and going one bit beyond isn't going to
overflow).

[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]

Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Analyzed-by: Robert Święcki <robert@swiecki.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

author	Linus Torvalds <torvalds@linux-foundation.org>
	Mon, 18 Apr 2011 17:35:30 +0000 (10:35 -0700)
committer	Paul Gortmaker <paul.gortmaker@windriver.com>
	Wed, 14 Mar 2012 14:57:19 +0000 (10:57 -0400)
commit	1e6b4f8971e43ea40fba523bc98ef30a17e8acc7
tree	db27eaff956b742097d964db5b40190107b5650b	tree \| snapshot
parent	0c1ed3f18bacae7b6eb5845d028dad9186121ed7	commit \| diff

include/linux/pid.h		diff \| blob \| history
kernel/pid.c		diff \| blob \| history