diff options
author | Srinivasarao P <spathi@codeaurora.org> | 2016-03-01 12:16:03 +0530 |
---|---|---|
committer | Ziyan <jaraidaniel@gmail.com> | 2016-10-29 01:34:20 +0200 |
commit | 9a3276020f1fcafd01a8647310128f9ccc8afdde (patch) | |
tree | 258b772dfb0c562fab51397e54f685596039fcad | |
parent | 388ebaeb91e8f7c4c1b1f9939924e310fae47bf0 (diff) | |
download | kernel_samsung_tuna-9a3276020f1fcafd01a8647310128f9ccc8afdde.tar.gz kernel_samsung_tuna-9a3276020f1fcafd01a8647310128f9ccc8afdde.tar.bz2 kernel_samsung_tuna-9a3276020f1fcafd01a8647310128f9ccc8afdde.zip |
perf: duplicate deletion of perf event
a malicious app can open a perf event with constraint_duplicate
bit set, disable the event, and close the fd. On closing the fd,
the perf_release() modification causes the kernel to clean up
the event as if it still were enabled, leading to the event
being removed from a list twice.
CRs-Fixed: 977563
Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
-rw-r--r-- | kernel/events/core.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index 792cd3363e1..4d6c8e6ff4c 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -6485,6 +6485,9 @@ SYSCALL_DEFINE5(perf_event_open, if (err) return err; + if (attr.__reserved_1) + return -EINVAL; + if (!attr.exclude_kernel) { if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) return -EACCES; |