diff options
author | yonghua zheng <younghua.zheng@gmail.com> | 2013-08-13 16:01:03 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-08-20 08:43:02 -0700 |
commit | f30d87b004dcb4b260dcb2667d5ef6998f4aac1f (patch) | |
tree | 047816d8caaa3557c6e18ae0f2bf789207457c92 /net/tipc | |
parent | f6c19e2f7d9204bca6576f03a117bec4eaaa9b5b (diff) | |
download | linux-3.10-f30d87b004dcb4b260dcb2667d5ef6998f4aac1f.tar.gz linux-3.10-f30d87b004dcb4b260dcb2667d5ef6998f4aac1f.tar.bz2 linux-3.10-f30d87b004dcb4b260dcb2667d5ef6998f4aac1f.zip |
fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream.
Recently we met quite a lot of random kernel panic issues after enabling
CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
to do with following bug in pagemap:
In struct pagemapread:
struct pagemapread {
int pos, len;
pagemap_entry_t *buffer;
bool v2;
};
pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
buffer, it is a mistake to compare pos and len in add_page_map() for
checking buffer is full or not, and this can lead to buffer overflow and
random kernel panic issue.
Correct len to be total number of PM_ENTRY_BYTES in buffer.
[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/tipc')
0 files changed, 0 insertions, 0 deletions