Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754965AbYFWNcr (ORCPT ); Mon, 23 Jun 2008 09:32:47 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752475AbYFWNck (ORCPT ); Mon, 23 Jun 2008 09:32:40 -0400 Received: from relay1.sgi.com ([192.48.171.29]:54970 "EHLO relay.sgi.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751647AbYFWNck (ORCPT ); Mon, 23 Jun 2008 09:32:40 -0400 To: mingo@elte.hu Subject: [PATCH] SGI UV: uv_ptc_proc_write security hole Cc: linux-kernel@vger.kernel.org Message-Id: From: Cliff Wickman Date: Mon, 23 Jun 2008 08:32:25 -0500 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1167 Lines: 39 From: Cliff Wickman Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics, causing optstr[count - 1] = '\0'; to write to who-knows-where. (Andi Kleen noticed this need from a patch I sent for similar code in the ia64 world (sn2_ptc_proc_write()).) (count less than zero is not possible here, as count is unsigned) Diffed against 2.6.26-rc6 Signed-off-by: Cliff Wickman --- arch/x86/kernel/tlb_uv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: linux/arch/x86/kernel/tlb_uv.c =================================================================== --- linux.orig/arch/x86/kernel/tlb_uv.c +++ linux/arch/x86/kernel/tlb_uv.c @@ -492,7 +492,7 @@ static ssize_t uv_ptc_proc_write(struct long newmode; char optstr[64]; - if (count > 64) + if (count == 0 || count > sizeof(optstr)) return -EINVAL; if (copy_from_user(optstr, user, count)) return -EFAULT; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/