From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 31 Oct 2017 22:23:59 +0000 (-0400)
Subject: Fix: lttng-logger get_user_pages_fast error handling
X-Git-Tag: v2.11.0-rc1~101
X-Git-Url: http://git.lttng.org./?a=commitdiff_plain;h=467f3a485d0da1e9410c5e3e75790dc5f9f456cc;hp=7feabe53ccf316430ceb10986e718a638bd584c1;p=lttng-modules.git

Fix: lttng-logger get_user_pages_fast error handling

Comparing a signed return value against an unsigned nr_pages performs
the comparison as "unsigned", and therefore mistakenly considers
get_user_pages_fast() errors as success.

By passing an invalid pointer to write() to the /proc/lttng-logger
interface, unprivileged user-space processes can trigger a kernel OOPS.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---

diff --git a/probes/lttng.c b/probes/lttng.c
index 8810fa22..09045fac 100644
--- a/probes/lttng.c
+++ b/probes/lttng.c
@@ -65,7 +65,7 @@ static
 ssize_t lttng_logger_write(struct file *file, const char __user *user_buf,
 		    size_t count, loff_t *ppos)
 {
-	unsigned int nr_pages = 1, i;
+	int nr_pages = 1, i;
 	unsigned long uaddr = (unsigned long) user_buf;
 	struct page *pages[2];
 	ssize_t written;