Re: CVE-2009-2584
From: Linus Torvalds
Date: Thu Nov 05 2009 - 11:34:33 EST
On Thu, 5 Nov 2009, Jiri Kosina wrote:
>
> + memset(buf, 0, sizeof(buf));
> if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
> return -EFAULT;
> - buf[count - 1] = '\0';
Why isn't this just
buf[sizeof(buf) - 1] = 0;
which was almost certainly the _intention_ of the code in the first
place, since 'count' has absolutely nothing to do with the copy from user
space as it is written.
I'm also convinced we do _not_ want 'strncpy' there, since we do have the
size of the write. Doing a strncpy_from_user() is actually _wrong_ if the
user buffer itself is smaller than the kernel buffer and isn't
NUL-terminated.
So that strncpy crap needs to go. It's wrong.
In other words it would all look a whole lot more natural (and correct)
like the appended patch.
Untested, of course. And since almost nobody has the hardware, so it's not
like it's ever likely to _be_ tested.
Linus
---
drivers/misc/sgi-gru/gruprocfs.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
index ccd4408..c0e17b0 100644
--- a/drivers/misc/sgi-gru/gruprocfs.c
+++ b/drivers/misc/sgi-gru/gruprocfs.c
@@ -164,7 +164,9 @@ static ssize_t options_write(struct file *file, const char __user *userbuf,
unsigned long val;
char buf[80];
- if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
+ if (count >= sizeof(buf))
+ count = sizeof(buf)-1;
+ if (copy_from_user(buf, userbuf, count))
return -EFAULT;
buf[count - 1] = '\0';
if (!strict_strtoul(buf, 10, &val))
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/