[PATCH] IA64: Fix stack overflow in create_palinfo_proc_entries

From: Richard Weinberger
Date: Wed Mar 20 2013 - 07:07:15 EST

Having more than 99 CPUs causes an overflow of cpustr.
If an attacker is able to control the number CPUs he might able to inject code
...kind of. ;-)

Signed-off-by: Richard Weinberger <richard@xxxxxx>
arch/ia64/kernel/palinfo.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
index 77597e5..35bee152 100644
--- a/arch/ia64/kernel/palinfo.c
+++ b/arch/ia64/kernel/palinfo.c
@@ -971,20 +971,18 @@ palinfo_read_entry(char *page, char **start, off_t off, int count, int *eof, voi
static void __cpuinit
create_palinfo_proc_entries(unsigned int cpu)
-# define CPUSTR "cpu%d"
pal_func_cpu_u_t f;
struct proc_dir_entry **pdir;
struct proc_dir_entry *cpu_dir;
int j;
- char cpustr[sizeof(CPUSTR)];
+ char cpustr[32];

* we keep track of created entries in a depth-first order for
* cleanup purposes. Each entry is stored into palinfo_proc_entries
- sprintf(cpustr,CPUSTR, cpu);
+ snprintf(cpustr, sizeof(cpustr), "cpu%d", cpu);

cpu_dir = proc_mkdir(cpustr, palinfo_dir);


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/