[PATCH] SGI UV: uv_ptc_proc_write security hole

From: Cliff Wickman
Date: Mon Jun 23 2008 - 09:32:49 EST

Next message: Louis Rilling: "Re: [PATCH 01/70] tty: Ldisc revamp"
Previous message: Greg Ungerer: "Re: [PATCH] m68knommu: ColdFire add support for kernel preemption"
Next in thread: Ingo Molnar: "Re: [PATCH] SGI UV: uv_ptc_proc_write security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Cliff Wickman <cpw@xxxxxxx>

Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics,
causing
optstr[count - 1] = '\0';
to write to who-knows-where.

(Andi Kleen noticed this need from a patch I sent for
similar code in the ia64 world (sn2_ptc_proc_write()).)

(count less than zero is not possible here, as count is unsigned)

Diffed against 2.6.26-rc6

Signed-off-by: Cliff Wickman <cpw@xxxxxxx>
---
arch/x86/kernel/tlb_uv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Index: linux/arch/x86/kernel/tlb_uv.c
===================================================================
--- linux.orig/arch/x86/kernel/tlb_uv.c
+++ linux/arch/x86/kernel/tlb_uv.c
@@ -492,7 +492,7 @@ static ssize_t uv_ptc_proc_write(struct
long newmode;
char optstr[64];

- if (count > 64)
+ if (count == 0 || count > sizeof(optstr))
return -EINVAL;
if (copy_from_user(optstr, user, count))
return -EFAULT;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Louis Rilling: "Re: [PATCH 01/70] tty: Ldisc revamp"
Previous message: Greg Ungerer: "Re: [PATCH] m68knommu: ColdFire add support for kernel preemption"
Next in thread: Ingo Molnar: "Re: [PATCH] SGI UV: uv_ptc_proc_write security hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]