linux-brain

Linux kernel source tree for SHARP Brain series (PW-SH1 or later)

Go to file

Kees Cook 8e993f711d ipc/mqueue.c: only perform resource calculation if user valid [ Upstream commit `a318f12ed8` ] Andreas Christoforou reported: UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: 9 * 2305843009213693951 cannot be represented in type 'long int' ... Call Trace: mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 evict+0x472/0x8c0 fs/inode.c:558 iput_final fs/inode.c:1547 [inline] iput+0x51d/0x8c0 fs/inode.c:1573 mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 vfs_mkobj+0x39e/0x580 fs/namei.c:2892 prepare_open ipc/mqueue.c:731 [inline] do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 Which could be triggered by: struct mq_attr attr = { .mq_flags = 0, .mq_maxmsg = 9, .mq_msgsize = 0x1fffffffffffffff, .mq_curmsgs = 0, }; if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) perror("mq_open"); mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and preparing to return -EINVAL. During the cleanup, it calls mqueue_evict_inode() which performed resource usage tracking math for updating "user", before checking if there was a valid "user" at all (which would indicate that the calculations would be sane). Instead, delay this check to after seeing a valid "user". The overflow was real, but the results went unused, so while the flaw is harmless, it's noisy for kernel fuzzers, so just fix it by moving the calculation under the non-NULL "user" where it actually gets used. Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Andreas Christoforou <andreaschristofo@gmail.com> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2019-08-06 19:05:24 +02:00
Documentation	arm64: dts: marvell: Fix A37xx UART0 register size	2019-08-04 09:32:00 +02:00
arch	x86: math-emu: Hide clang warnings for 16-bit overflow	2019-08-06 19:05:23 +02:00
block	block/bio-integrity: fix a memory leak bug	2019-07-31 07:28:55 +02:00
certs	Replace magic for trusting the secondary keyring with #define	2018-09-09 19:55:54 +02:00
crypto	crypto: chacha20poly1305 - fix atomic sleep when using async algorithm	2019-07-31 07:28:35 +02:00
drivers	drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings	2019-08-06 19:05:24 +02:00
firmware	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
fs	coda: add error handling for fget	2019-08-06 19:05:23 +02:00
include	uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers	2019-08-06 19:05:24 +02:00
init	init: initialize jump labels before command line option parsing	2019-05-16 19:42:23 +02:00
ipc	ipc/mqueue.c: only perform resource calculation if user valid	2019-08-06 19:05:24 +02:00
kernel	kernel/module.c: Only return -EEXIST for modules that have finished loading	2019-08-06 19:05:20 +02:00
lib	lib/strscpy: Shut up KASAN false-positives in strscpy()	2019-07-31 07:28:44 +02:00
mm	mm/cma.c: fail if fixed declaration can't be honored	2019-08-06 19:05:23 +02:00
net	ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL	2019-08-04 09:32:03 +02:00
samples	samples, bpf: fix to change the buffer size for read()	2019-07-21 09:04:17 +02:00
scripts	kallsyms: exclude kasan local symbols on s390	2019-07-31 07:28:54 +02:00
security	apparmor: enforce nullbyte at end of tag string	2019-06-25 11:36:51 +08:00
sound	ALSA: hda - Add a conexant codec entry to let mute led work	2019-07-31 07:28:58 +02:00
tools	perf annotate: Fix dereferencing freed memory found by the smatch tool	2019-07-31 07:28:54 +02:00
usr	initramfs: fix initramfs rebuilds w/ compression after disabling	2017-11-03 07:39:19 -07:00
virt	KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy	2019-07-21 09:04:24 +02:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore	Add hch to .get_maintainer.ignore	2015-08-21 14:30:10 -07:00
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	kbuild: rpm-pkg: keep spec file until make mrproper	2018-02-13 10:19:46 +01:00
.mailmap	.mailmap: Add Maciej W. Rozycki's Imagination e-mail address	2017-11-10 12:16:15 -08:00
COPYING	…
CREDITS	MAINTAINERS: update TPM driver infrastructure changes	2017-11-09 17:58:40 -08:00
Kbuild	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
Kconfig	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
MAINTAINERS	MAINTAINERS: Add Sasha as a stable branch maintainer	2018-12-01 09:42:50 +01:00
Makefile	Linux 4.14.136	2019-08-04 09:32:04 +02:00
README	README: add a new README file, pointing to the Documentation/	2016-10-24 08:12:35 -02:00

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.