From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 31 Oct 2017 22:23:59 +0000 (-0400)
Subject: Fix: lttng-logger get_user_pages_fast error handling
X-Git-Tag: v2.10.3~1
X-Git-Url: http://git.liburcu.org/?p=lttng-modules.git;a=commitdiff_plain;h=8c82bf9c7c15182d0c2222b62ba3bced4afa0cad

Fix: lttng-logger get_user_pages_fast error handling

Comparing a signed return value against an unsigned nr_pages performs
the comparison as "unsigned", and therefore mistakenly considers
get_user_pages_fast() errors as success.

By passing an invalid pointer to write() to the /proc/lttng-logger
interface, unprivileged user-space processes can trigger a kernel OOPS.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---

diff --git a/probes/lttng.c b/probes/lttng.c
index 8810fa22..09045fac 100644
--- a/probes/lttng.c
+++ b/probes/lttng.c
@@ -65,7 +65,7 @@ static
 ssize_t lttng_logger_write(struct file *file, const char __user *user_buf,
 		    size_t count, loff_t *ppos)
 {
-	unsigned int nr_pages = 1, i;
+	int nr_pages = 1, i;
 	unsigned long uaddr = (unsigned long) user_buf;
 	struct page *pages[2];
 	ssize_t written;