perf: duplicate deletion of perf event

a malicious app can open a perf event with constraint_duplicate bit set, disable the event, and close the fd. On closing the fd, the perf_release() modification causes the kernel to clean up the event as if it still were enabled, leading to the event being removed from a list twice. CRs-Fixed: 977563 Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
author: Srinivasarao P <spathi@codeaurora.org> 2016-03-01 12:16:03 +0530
committer: Andreas Blaesius <skate4life@gmx.de> 2016-10-27 10:30:46 +0200
commit: d99c71893b96b3387dd40baaaf6e84bd51934290 (patch)
tree: 738d2d0a2daf3948c234bc7c2779167489524119
parent: ad1133d4ef9b5124075949cb2c8a1cc66e84391c (diff)
download: kernel_samsung_espresso10-d99c71893b96b3387dd40baaaf6e84bd51934290.tar.gz
kernel_samsung_espresso10-d99c71893b96b3387dd40baaaf6e84bd51934290.tar.bz2
kernel_samsung_espresso10-d99c71893b96b3387dd40baaaf6e84bd51934290.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c
index acdc087f29e..37a71e1f3b9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6477,6 +6477,9 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (err)
 		return err;
 
+	if (attr.__reserved_1)
+		return -EINVAL;
+
 	if (!attr.exclude_kernel) {
 		if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
 			return -EACCES;
author	Srinivasarao P <spathi@codeaurora.org>	2016-03-01 12:16:03 +0530
committer	Andreas Blaesius <skate4life@gmx.de>	2016-10-27 10:30:46 +0200
commit	d99c71893b96b3387dd40baaaf6e84bd51934290 (patch)
tree	738d2d0a2daf3948c234bc7c2779167489524119
parent	ad1133d4ef9b5124075949cb2c8a1cc66e84391c (diff)
download	kernel_samsung_espresso10-d99c71893b96b3387dd40baaaf6e84bd51934290.tar.gz kernel_samsung_espresso10-d99c71893b96b3387dd40baaaf6e84bd51934290.tar.bz2 kernel_samsung_espresso10-d99c71893b96b3387dd40baaaf6e84bd51934290.zip