Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760023AbYFWVNx (ORCPT ); Mon, 23 Jun 2008 17:13:53 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754061AbYFWVNq (ORCPT ); Mon, 23 Jun 2008 17:13:46 -0400 Received: from mx3.mail.elte.hu ([157.181.1.138]:59766 "EHLO mx3.mail.elte.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753981AbYFWVNp (ORCPT ); Mon, 23 Jun 2008 17:13:45 -0400 Date: Mon, 23 Jun 2008 23:13:35 +0200 From: Ingo Molnar To: Cliff Wickman Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH] SGI UV: uv_ptc_proc_write security hole Message-ID: <20080623211335.GA12877@elte.hu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) X-ELTE-VirusStatus: clean X-ELTE-SpamScore: -1.5 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=-1.5 required=5.9 tests=BAYES_00 autolearn=no SpamAssassin version=3.2.3 -1.5 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 722 Lines: 25 * Cliff Wickman wrote: > From: Cliff Wickman > > Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics, > causing > optstr[count - 1] = '\0'; > to write to who-knows-where. > > (Andi Kleen noticed this need from a patch I sent for > similar code in the ia64 world (sn2_ptc_proc_write()).) > > (count less than zero is not possible here, as count is unsigned) > > Diffed against 2.6.26-rc6 applied to tip/x86/uv - thanks Cliff. Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/