Re: CVE-2009-2584

[Linus Torvalds]

On Thu, 5 Nov 2009, Linus Torvalds wrote:
> 
> Untested, of course. And since almost nobody has the hardware, so it's not 
> like it's ever likely to _be_ tested.
> 
> 		Linus
> 
> ---
>  drivers/misc/sgi-gru/gruprocfs.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
> index ccd4408..c0e17b0 100644
> --- a/drivers/misc/sgi-gru/gruprocfs.c
> +++ b/drivers/misc/sgi-gru/gruprocfs.c
> @@ -164,7 +164,9 @@ static ssize_t options_write(struct file *file, const char __user *userbuf,
>  	unsigned long val;
>  	char buf[80];
>  
> -	if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
> +	if (count >= sizeof(buf))
> +		count = sizeof(buf)-1;
> +	if (copy_from_user(buf, userbuf, count))
>  		return -EFAULT;
>  	buf[count - 1] = '\0';

And it's wrong. That 'count-1' was always wrong. It seems to _depend_ on 
people doing things like

	echo number > /proc/..

and the 'echo' adding a '\n' at the end, and then 'buf[count-1] = 0' 
clearing away the '\n'.

Which is pointless, since '\n' at the end is the _one_ thing 
strict_strtoul() accepts. And it's wrong, because it means that

	echo -n number > /proc..

fails.

In other words, the whole function is utter sh*t as far as I can tell. 
There's basically not a single correct line in the whole thing.

Even the 'strict_strtoul()' line is absolute and utter crap, since it 
forces decimal numbers, but 'options_show()' will then show it as a hex 
number (and a hex number is natural, since it's a set of flags). It also 
doesn't actually return an error if you write some invalid value, and it's 
totally pointless to have that 'val' temporary, since the strict_strtoul 
function only writes the result if it is successful _anyway_.

The size of the buffer is also insane. Since the _only_ thing we will ever 
accept is a number, there's no point in allowing all that many characters. 
And silently ignoring the extra characters kind of makes the whole 
'strict' part of 'strict_strtoul()' pointless.

So here's a second try. I guess the 'return count/-EFAULT' lines were
actually correct after all. So it wasn't _all_ buggy or insane.

Still entirely untested.

		Linus

---
 drivers/misc/sgi-gru/gruprocfs.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
index ccd4408..762f179 100644
--- a/drivers/misc/sgi-gru/gruprocfs.c
+++ b/drivers/misc/sgi-gru/gruprocfs.c
@@ -161,14 +161,15 @@ static int options_show(struct seq_file *s, void *p)
 static ssize_t options_write(struct file *file, const char __user *userbuf,
 			     size_t count, loff_t *data)
 {
-	unsigned long val;
-	char buf[80];
+	char buf[16];
 
-	if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
+	if (count >= sizeof(buf))
+		return -EINVAL;
+	if (copy_from_user(buf, userbuf, count))
 		return -EFAULT;
-	buf[count - 1] = '\0';
-	if (!strict_strtoul(buf, 10, &val))
-		gru_options = val;
+	buf[count] = '\0';
+	if (strict_strtoul(buf, 0, &gru_options))
+		return -EINVAL;
 
 	return count;
 }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/