Commit b04eb6aa authored by Mitchell Blank Jr's avatar Mitchell Blank Jr Committed by Linus Torvalds

[PATCH] select: don't overflow if (SELECT_STACK_ALLOC % sizeof(long) != 0)

If SELECT_STACK_ALLOC is not a multiple of sizeof(long) then stack_fds[]
would be shorter than SELECT_STACK_ALLOC bytes and could overflow later in
the function.  Fixed by simply rearranging the test later to work on
sizeof(stack_fds) Currently SELECT_STACK_ALLOC is 256 so this doesn't
happen, but it's nasty to have things like this hidden in the code.  What
if later someone decides to change SELECT_STACK_ALLOC to 300?
Signed-off-by: default avatarMitchell Blank Jr <mitch@sfgoth.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent a9cdf410
...@@ -311,7 +311,8 @@ static int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp, ...@@ -311,7 +311,8 @@ static int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
{ {
fd_set_bits fds; fd_set_bits fds;
void *bits; void *bits;
int ret, size, max_fdset; int ret, max_fdset;
unsigned int size;
struct fdtable *fdt; struct fdtable *fdt;
/* Allocate small arguments on the stack to save memory and be faster */ /* Allocate small arguments on the stack to save memory and be faster */
long stack_fds[SELECT_STACK_ALLOC/sizeof(long)]; long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
...@@ -333,14 +334,15 @@ static int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp, ...@@ -333,14 +334,15 @@ static int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
* since we used fdset we need to allocate memory in units of * since we used fdset we need to allocate memory in units of
* long-words. * long-words.
*/ */
ret = -ENOMEM;
size = FDS_BYTES(n); size = FDS_BYTES(n);
if (6*size < SELECT_STACK_ALLOC)
bits = stack_fds; bits = stack_fds;
else if (size > sizeof(stack_fds) / 6) {
/* Not enough space in on-stack array; must use kmalloc */
ret = -ENOMEM;
bits = kmalloc(6 * size, GFP_KERNEL); bits = kmalloc(6 * size, GFP_KERNEL);
if (!bits) if (!bits)
goto out_nofds; goto out_nofds;
}
fds.in = bits; fds.in = bits;
fds.out = bits + size; fds.out = bits + size;
fds.ex = bits + 2*size; fds.ex = bits + 2*size;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment