Re: CVE-2009-2584

From: Jiri Kosina
Date: Thu Nov 05 2009 - 10:27:30 EST

[ adding some more CCs and including patch below for completness,
obviously it got lost in space ]

On Wed, 4 Nov 2009, Michael Gilbert wrote:

> CVE-2009-2584 [0],[1] has been disclosed for quite a while now (with
> existing exploit code by Brad Spengler [2]). A patch has also been
> available for the same amount of time [3], but as of 2.6.32-rc6 it is
> still not applied. Did this slip through the cracks? Thanks upfront
> for any info on the matter.
[ ... ]
> [0]
> [1]
> [2]
> [3]

From: Michael Buesch <mb@xxxxxxxxx>
Subject: sgi-gru: Fix kernel stack buffer overrun

This patch fixes a kernel stack buffer overrun in the sgi-gru procfs
interface implementation. The "count" parameter to options_write() is user
controlled. So this bug can be used to write '\0' bytes to almost
arbitrary places on the kernel stack.

Cc: stable@xxxxxxxxxx
Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
Acked-by: Jack Steiner <steiner@xxxxxxx>

--- linux-2.6.orig/drivers/misc/sgi-gru/gruprocfs.c
+++ linux-2.6/drivers/misc/sgi-gru/gruprocfs.c
@@ -157,23 +157,23 @@ static int options_show(struct seq_file
seq_printf(s, "0x%lx\n", gru_options);
return 0;

static ssize_t options_write(struct file *file, const char __user *userbuf,
size_t count, loff_t *data)
unsigned long val;
char buf[80];

+ memset(buf, 0, sizeof(buf));
if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
return -EFAULT;
- buf[count - 1] = '\0';
if (!strict_strtoul(buf, 10, &val))
gru_options = val;

return count;

static int cch_seq_show(struct seq_file *file, void *data)
long gid = *(long *)data;
int i;

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at