x86, msr: fix NULL pointer deref due to msr_open on nonexistent CPUs

msr_open tests for someone trying to open a device for a nonexistent CPU. However, the function always returns 0, not ret like it should, hence userspace can BUG the kernel trivially. This bug was introduced by the cdev lock_kernel pushdown patch last May. The BUG can be reproduced with these commands: # mknod fubar c 202 8 <-- pick a number less than NR_CPUS that is not the number of an online CPU # cat fubar Signed-off-by: N Darrick J. Wong <djwong@us.ibm.com> Signed-off-by: N Ingo Molnar <mingo@elte.hu>

x86, msr: fix NULL pointer deref due to msr_open on nonexistent CPUs
msr_open tests for someone trying to open a device for a nonexistent CPU. However, the function always returns 0, not ret like it should, hence userspace can BUG the kernel trivially. This bug was introduced by the cdev lock_kernel pushdown patch last May. The BUG can be reproduced with these commands: # mknod fubar c 202 8 <-- pick a number less than NR_CPUS that is not the number of an online CPU # cat fubar Signed-off-by: N Darrick J. Wong <djwong@us.ibm.com> Signed-off-by: N Ingo Molnar <mingo@elte.hu>
967060d0 · Darrick J. Wong · Ingo Molnar · a6825f1c · 967060d0
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

arch/x86/kernel/msr.c arch/x86/kernel/msr.c +1 -1

未找到文件。
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -131,7 +131,7 @@ static int msr_open(struct inode *inode, struct file *file)
 		ret = -EIO;	/* MSR not supported */
 out:
 	unlock_kernel();
-	return 0;
+	return ret;
 }

 /*