forked from Minki/linux
[PATCH] select: don't overflow if (SELECT_STACK_ALLOC % sizeof(long) != 0)
If SELECT_STACK_ALLOC is not a multiple of sizeof(long) then stack_fds[] would be shorter than SELECT_STACK_ALLOC bytes and could overflow later in the function. Fixed by simply rearranging the test later to work on sizeof(stack_fds) Currently SELECT_STACK_ALLOC is 256 so this doesn't happen, but it's nasty to have things like this hidden in the code. What if later someone decides to change SELECT_STACK_ALLOC to 300? Signed-off-by: Mitchell Blank Jr <mitch@sfgoth.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
a9cdf410ca
commit
b04eb6aa08
16
fs/select.c
16
fs/select.c
|
@ -311,7 +311,8 @@ static int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
|
||||||
{
|
{
|
||||||
fd_set_bits fds;
|
fd_set_bits fds;
|
||||||
void *bits;
|
void *bits;
|
||||||
int ret, size, max_fdset;
|
int ret, max_fdset;
|
||||||
|
unsigned int size;
|
||||||
struct fdtable *fdt;
|
struct fdtable *fdt;
|
||||||
/* Allocate small arguments on the stack to save memory and be faster */
|
/* Allocate small arguments on the stack to save memory and be faster */
|
||||||
long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
|
long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
|
||||||
|
@ -333,14 +334,15 @@ static int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
|
||||||
* since we used fdset we need to allocate memory in units of
|
* since we used fdset we need to allocate memory in units of
|
||||||
* long-words.
|
* long-words.
|
||||||
*/
|
*/
|
||||||
ret = -ENOMEM;
|
|
||||||
size = FDS_BYTES(n);
|
size = FDS_BYTES(n);
|
||||||
if (6*size < SELECT_STACK_ALLOC)
|
bits = stack_fds;
|
||||||
bits = stack_fds;
|
if (size > sizeof(stack_fds) / 6) {
|
||||||
else
|
/* Not enough space in on-stack array; must use kmalloc */
|
||||||
|
ret = -ENOMEM;
|
||||||
bits = kmalloc(6 * size, GFP_KERNEL);
|
bits = kmalloc(6 * size, GFP_KERNEL);
|
||||||
if (!bits)
|
if (!bits)
|
||||||
goto out_nofds;
|
goto out_nofds;
|
||||||
|
}
|
||||||
fds.in = bits;
|
fds.in = bits;
|
||||||
fds.out = bits + size;
|
fds.out = bits + size;
|
||||||
fds.ex = bits + 2*size;
|
fds.ex = bits + 2*size;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user