On Tue, Dec 25, 2018 at 04:16:47PM -0600, Kangjie Lu wrote:
> "uattr->size" is copied in from user space and checked. However, it is
> copied in again after the security check. A malicious user may race to
> change it. The fix checks if uattr->size is ever changed after the
> check.
>
> Signed-off-by: Kangjie Lu <k...@umn.edu>
> ---
> + /* Sanity check if size was changed in user space */
> + if (attr->size != size)
> + return -EINVAL;
> +
What perf_copy_attr() does (from whence we copied this code) is:
attr->size = size;
Would that not also fix things?
