From patchwork Sat Jan 11 15:49:02 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Russell King - ARM Linux <linux@arm.linux.org.uk>
X-Patchwork-Id: 3469431
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 9AE899F39C
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Sat, 11 Jan 2014 15:49:49 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D25C82015D
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Sat, 11 Jan 2014 15:49:48 +0000 (UTC)
Received: from casper.infradead.org (casper.infradead.org [85.118.1.10])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 8D46020155
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Sat, 11 Jan 2014 15:49:47 +0000 (UTC)
Received: from merlin.infradead.org ([2001:4978:20e::2])
	by casper.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1W20oZ-0006kS-T5; Sat, 11 Jan 2014 15:49:36 +0000
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1W20oX-0005or-Bt; Sat, 11 Jan 2014 15:49:33 +0000
Received: from pandora.arm.linux.org.uk
	([2001:4d48:ad52:3201:214:fdff:fe10:1be6])
	by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1W20oT-0005oM-A6 for linux-arm-kernel@lists.infradead.org;
	Sat, 11 Jan 2014 15:49:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=arm.linux.org.uk; s=pandora;
	h=Sender:Content-Type:MIME-Version:Message-ID:Subject:To:From:Date;
	bh=pxAhoaWm/QgE9cv1AVS6fGJJp+2YrhRaxqm2wwoFItc=;
	b=BuycY7LB+yPrToFIOK8d5sctfp86XAvQsUuyzJ8qqOW6KMVGk6hDCyA/A+MhX0KwItppkvyZ3WV0EkNKmHqVIEFj/Vp0rK99dhvV7Spf9432oUIaHWt+FJogMtmzIzxaXTmIRJ7CFIS5BTFGzFnvFPDXyLkd+7sS2zM6ghsHhfU=;
Received: from n2100.arm.linux.org.uk
	([2002:4e20:1eda:1:214:fdff:fe10:4f86]:41409)
	by pandora.arm.linux.org.uk with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.76) (envelope-from <linux@arm.linux.org.uk>)
	id 1W20o5-00068A-5e for linux-arm-kernel@lists.infradead.org;
	Sat, 11 Jan 2014 15:49:05 +0000
Received: from linux by n2100.arm.linux.org.uk with local (Exim 4.76)
	(envelope-from <linux@n2100.arm.linux.org.uk>) id 1W20o3-0005Mj-JO
	for linux-arm-kernel@lists.infradead.org;
	Sat, 11 Jan 2014 15:49:03 +0000
Date: Sat, 11 Jan 2014 15:49:02 +0000
From: Russell King - ARM Linux <linux@arm.linux.org.uk>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] Harden OABI epoll_wait() against trinity
Message-ID: <20140111154902.GK15937@n2100.arm.linux.org.uk>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.19 (2009-01-05)
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20140111_104929_796123_E12F0303 
X-CRM114-Status: GOOD (  14.55  )
X-Spam-Score: -2.1 (--)
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

While running trinity on the OMAP4430 SDP, an issue was noticed with
the OABI epoll helper causing memory allocation failure warnings.

There are two issues here - the first is what happens when a very
large number of events is passed, but the user address does not allow
them to be stored.  This is simple to address, since we can just use
access_ok() to verify that the memory is writable.

The second is what happens when the user address is valid, but still
a large number of events has been passed.  This can still cause
kmalloc() to fail.  So, let it fail, but without warning, thereby
causing userspace to be given an ENOMEM error.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Nicolas Pitre <nico@linaro.org>
---
 arch/arm/kernel/sys_oabi-compat.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index 3e94811..4e34405 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -277,7 +277,11 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
 
 	if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
 		return -EINVAL;
-	kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+
+	if (!access_ok(VERIFY_WRITE, events, maxevents * sizeof(*events)))
+		return -EFAULT;
+
+	kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL | __GFP_NOWARN);
 	if (!kbuf)
 		return -ENOMEM;
 	fs = get_fs();