2008-06-23 13:32:47

by Cliff Wickman

[permalink] [raw]
Subject: [PATCH] SGI UV: uv_ptc_proc_write security hole



From: Cliff Wickman <[email protected]>

Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics,
causing
optstr[count - 1] = '\0';
to write to who-knows-where.

(Andi Kleen noticed this need from a patch I sent for
similar code in the ia64 world (sn2_ptc_proc_write()).)

(count less than zero is not possible here, as count is unsigned)

Diffed against 2.6.26-rc6

Signed-off-by: Cliff Wickman <[email protected]>
---
arch/x86/kernel/tlb_uv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Index: linux/arch/x86/kernel/tlb_uv.c
===================================================================
--- linux.orig/arch/x86/kernel/tlb_uv.c
+++ linux/arch/x86/kernel/tlb_uv.c
@@ -492,7 +492,7 @@ static ssize_t uv_ptc_proc_write(struct
long newmode;
char optstr[64];

- if (count > 64)
+ if (count == 0 || count > sizeof(optstr))
return -EINVAL;
if (copy_from_user(optstr, user, count))
return -EFAULT;


2008-06-23 21:13:53

by Ingo Molnar

[permalink] [raw]
Subject: Re: [PATCH] SGI UV: uv_ptc_proc_write security hole


* Cliff Wickman <[email protected]> wrote:

> From: Cliff Wickman <[email protected]>
>
> Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics,
> causing
> optstr[count - 1] = '\0';
> to write to who-knows-where.
>
> (Andi Kleen noticed this need from a patch I sent for
> similar code in the ia64 world (sn2_ptc_proc_write()).)
>
> (count less than zero is not possible here, as count is unsigned)
>
> Diffed against 2.6.26-rc6

applied to tip/x86/uv - thanks Cliff.

Ingo