On Tue, Dec 25, 2018 at 04:16:47PM -0600, Kangjie Lu wrote: > "uattr->size" is copied in from user space and checked. However, it is > copied in again after the security check. A malicious user may race to > change it. The fix checks if uattr->size is ever changed after the > check. > > Signed-off-by: Kangjie Lu <k...@umn.edu> > ---
> + /* Sanity check if size was changed in user space */ > + if (attr->size != size) > + return -EINVAL; > + What perf_copy_attr() does (from whence we copied this code) is: attr->size = size; Would that not also fix things?