Commit df84e5eb authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] add range checking to sys_sysctl()

If you pass a huge nlen value into sys_sysctl() it will loop for hours
printing billions of question marks, so range-check the arguments.

Also, remove the code which informs the user that the sysctl is obsolete: it
allows unprivileged users to spam the logs.
parent 93d11872
...@@ -888,27 +888,13 @@ int do_sysctl(int __user *name, int nlen, void __user *oldval, size_t __user *ol ...@@ -888,27 +888,13 @@ int do_sysctl(int __user *name, int nlen, void __user *oldval, size_t __user *ol
asmlinkage long sys_sysctl(struct __sysctl_args __user *args) asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
{ {
struct __sysctl_args tmp; struct __sysctl_args tmp;
int name[2];
int error; int error;
if (copy_from_user(&tmp, args, sizeof(tmp))) if (copy_from_user(&tmp, args, sizeof(tmp)))
return -EFAULT; return -EFAULT;
if (tmp.nlen != 2 || copy_from_user(name, tmp.name, sizeof(name)) || if (tmp.nlen < 0 || tmp.nlen > CTL_MAXNAME)
name[0] != CTL_KERN || name[1] != KERN_VERSION) { return -EINVAL;
int i;
printk(KERN_INFO "%s: numerical sysctl ", current->comm);
for (i = 0; i < tmp.nlen; i++) {
int n;
if (get_user(n, tmp.name+i)) {
printk("? ");
} else {
printk("%d ", n);
}
}
printk("is obsolete.\n");
}
lock_kernel(); lock_kernel();
error = do_sysctl(tmp.name, tmp.nlen, tmp.oldval, tmp.oldlenp, error = do_sysctl(tmp.name, tmp.nlen, tmp.oldval, tmp.oldlenp,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment