diff options
| author | Pavel Skripkin <[email protected]> | 2021-09-08 02:58:21 +0000 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2021-09-08 18:50:26 +0000 |
| commit | 2d186afd04d669fe9c48b994c41a7405a3c9f16d (patch) | |
| tree | b29b5c8edd8e860bbe4e42a318871897a923249c /lib/math/rational.c | |
| parent | kernel/acct.c: use dedicated helper to access rlimit values (diff) | |
| download | kernel-2d186afd04d669fe9c48b994c41a7405a3c9f16d.tar.gz kernel-2d186afd04d669fe9c48b994c41a7405a3c9f16d.zip | |
profiling: fix shift-out-of-bounds bugs
Syzbot reported shift-out-of-bounds bug in profile_init().
The problem was in incorrect prof_shift. Since prof_shift value comes from
userspace we need to clamp this value into [0, BITS_PER_LONG -1]
boundaries.
Second possible shiht-out-of-bounds was found by Tetsuo:
sample_step local variable in read_profile() had "unsigned int" type,
but prof_shift allows to make a BITS_PER_LONG shift. So, to prevent
possible shiht-out-of-bounds sample_step type was changed to
"unsigned long".
Also, "unsigned short int" will be sufficient for storing
[0, BITS_PER_LONG] value, that's why there is no need for
"unsigned long" prof_shift.
Link: https://lkml.kernel.org/r/[email protected]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: [email protected]
Suggested-by: Tetsuo Handa <[email protected]>
Signed-off-by: Pavel Skripkin <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Steven Rostedt <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'lib/math/rational.c')
0 files changed, 0 insertions, 0 deletions