From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jeff Dike <jdike@addtoit.com>
Cc: Fabian Yamaguchi <fabs@goesec.de>,
security@kernel.org, user-mode-linux-devel@lists.sourceforge.net,
Richard Weinberger <richard@nod.at>,
user-mode-linux-user@lists.sourceforge.net,
Nico Golde <nico@ngolde.de>
Subject: [uml-devel] [patch] uml: check length in exitcode_proc_write()
Date: Tue, 29 Oct 2013 22:06:04 +0300 [thread overview]
Message-ID: <20131029190604.GA21820@longonot.mountain> (raw)
In-Reply-To: <20131025144452.GA28451@ngolde.de>
We don't cap the size of buffer from the user so we could write past
the end of the array here. Only root can write to this file.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 829df49..41ebbfe 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char *end, buf[sizeof("nnnnn\0")];
+ size_t size;
int tmp;
- if (copy_from_user(buf, buffer, count))
+ size = min(count, sizeof(buf));
+ if (copy_from_user(buf, buffer, size))
return -EFAULT;
tmp = simple_strtol(buf, &end, 0);
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
next parent reply other threads:[~2013-10-29 19:06 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20131025144452.GA28451@ngolde.de>
2013-10-29 19:06 ` Dan Carpenter [this message]
2013-11-01 9:22 ` [uml-devel] [patch] uml: check length in exitcode_proc_write() Richard Weinberger
2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter
2013-10-29 20:09 ` Dan Carpenter
2013-10-29 19:10 ` [patch] [SCSI] aacraid: prevent ZERO_SIZE_PTR dereference Dan Carpenter
2013-10-29 19:36 ` James Bottomley
2013-10-29 19:59 ` Linus Torvalds
2013-10-29 20:06 ` Dan Carpenter
2013-10-29 20:17 ` Linus Torvalds
2013-10-30 7:47 ` Dan Carpenter
2013-10-29 19:11 ` [patch] [SCSI] aacraid: missing capable() check in compat ioctl Dan Carpenter
2013-10-30 17:12 ` [patch v2] libertas: potential oops in debugfs Dan Carpenter
2013-10-30 17:12 ` Dan Carpenter
2013-10-30 19:51 ` Dan Williams
2013-10-30 19:51 ` Dan Williams
2013-10-30 17:13 ` [patch] [SCSI] megaraid: missing bounds check in mimd_to_kioc() Dan Carpenter
2013-11-21 0:40 ` Kees Cook
2014-01-08 12:27 ` Saxena, Sumit
2014-01-09 18:34 ` Kees Cook
2014-01-09 19:53 ` Saxena, Sumit
2014-01-09 20:03 ` Kees Cook
2013-10-31 18:00 ` [patch] xfs: underflow bug in xfs_attrlist_by_handle() Dan Carpenter
2013-10-31 21:34 ` Dave Chinner
2013-12-04 21:53 ` Ben Myers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131029190604.GA21820@longonot.mountain \
--to=dan.carpenter@oracle.com \
--cc=fabs@goesec.de \
--cc=jdike@addtoit.com \
--cc=nico@ngolde.de \
--cc=richard@nod.at \
--cc=security@kernel.org \
--cc=user-mode-linux-devel@lists.sourceforge.net \
--cc=user-mode-linux-user@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.