From: Cliff Wickman <[email protected]>
Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics,
causing
optstr[count - 1] = '\0';
to write to who-knows-where.
(Andi Kleen noticed this need from a patch I sent for
similar code in the ia64 world (sn2_ptc_proc_write()).)
(count less than zero is not possible here, as count is unsigned)
Diffed against 2.6.26-rc6
Signed-off-by: Cliff Wickman <[email protected]>
---
arch/x86/kernel/tlb_uv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux/arch/x86/kernel/tlb_uv.c
===================================================================
--- linux.orig/arch/x86/kernel/tlb_uv.c
+++ linux/arch/x86/kernel/tlb_uv.c
@@ -492,7 +492,7 @@ static ssize_t uv_ptc_proc_write(struct
long newmode;
char optstr[64];
- if (count > 64)
+ if (count == 0 || count > sizeof(optstr))
return -EINVAL;
if (copy_from_user(optstr, user, count))
return -EFAULT;
* Cliff Wickman <[email protected]> wrote:
> From: Cliff Wickman <[email protected]>
>
> Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics,
> causing
> optstr[count - 1] = '\0';
> to write to who-knows-where.
>
> (Andi Kleen noticed this need from a patch I sent for
> similar code in the ia64 world (sn2_ptc_proc_write()).)
>
> (count less than zero is not possible here, as count is unsigned)
>
> Diffed against 2.6.26-rc6
applied to tip/x86/uv - thanks Cliff.
Ingo