Skip to content

Commit

Permalink
hugetlb: check the return value of string conversion in sysctl handler
Browse files Browse the repository at this point in the history 
proc_doulongvec_minmax may fail if the given buffer doesn't represent a
valid number.  If we provide something invalid we will initialize the
resulting value (nr_overcommit_huge_pages in this case) to a random value
from the stack.

The issue was introduced by a3d0c6a when the default handler has been
replaced by the helper function where we do not check the return value.

Reproducer:
echo "" > /proc/sys/vm/nr_overcommit_hugepages

[[email protected]: correctly propagate proc_doulongvec_minmax return code]
Signed-off-by: Michal Hocko <[email protected]>
Cc: CAI Qian <[email protected]>
Cc: Nishanth Aravamudan <[email protected]>
Cc: Andrea Arcangeli <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@torvalds
Michal Hocko authored and torvalds committed Jan 14, 2011
1 parent cb9ef8d commit 08d4a24
Showing 1 changed file with 12 additions and 6 deletions.
18 changes: 12 additions & 6 deletions mm/hugetlb.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1859,13 +1859,16 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
{
struct hstate *h = &default_hstate;
unsigned long tmp;
int ret;

if (!write)
tmp = h->max_huge_pages;

table->data = &tmp;
table->maxlen = sizeof(unsigned long);
proc_doulongvec_minmax(table, write, buffer, length, ppos);
ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
if (ret)
goto out;

if (write) {
NODEMASK_ALLOC(nodemask_t, nodes_allowed,
Expand All @@ -1880,8 +1883,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
if (nodes_allowed != &node_states[N_HIGH_MEMORY])
NODEMASK_FREE(nodes_allowed);
}

return 0;
out:
return ret;
}

int hugetlb_sysctl_handler(struct ctl_table *table, int write,
Expand Down Expand Up @@ -1919,21 +1922,24 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
{
struct hstate *h = &default_hstate;
unsigned long tmp;
int ret;

if (!write)
tmp = h->nr_overcommit_huge_pages;

table->data = &tmp;
table->maxlen = sizeof(unsigned long);
proc_doulongvec_minmax(table, write, buffer, length, ppos);
ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
if (ret)
goto out;

if (write) {
spin_lock(&hugetlb_lock);
h->nr_overcommit_huge_pages = tmp;
spin_unlock(&hugetlb_lock);
}

return 0;
out:
return ret;
}

#endif /* CONFIG_SYSCTL */
Expand Down

0 comments on commit 08d4a24

Please sign in to comment.