* cpufreq/linux/drivers/cpufreq userspace.c,1.1.1.2,1.1.1.3
@ 2004-07-15 13:08 Ducrot Bruno
0 siblings, 0 replies; only message in thread
From: Ducrot Bruno @ 2004-07-15 13:08 UTC (permalink / raw)
To: cpufreq
Update of /mnt/src/cvsroot/cpufreq/linux/drivers/cpufreq
In directory flint:/tmp/cvs-serv9074
Modified Files:
Tag: LINUX_2_4
userspace.c
Log Message:
Fix security hole in proc handler.
Brad Spengler <spender@grsecurity.net> found an exploitable bug in the proc handler
of cpufreq, where a user-supplied unsigned int is cast to a signed int and then
passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written
(root only thankfully), or read (as any user).
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0228 to this issue.
Index: userspace.c
===================================================================
RCS file: /mnt/src/cvsroot/cpufreq/linux/drivers/cpufreq/Attic/userspace.c,v
retrieving revision 1.1.1.2
retrieving revision 1.1.1.3
diff -u -r1.1.1.2 -r1.1.1.3
--- userspace.c 28 Aug 2003 13:41:57 -0000 1.1.1.2
+++ userspace.c 15 Jul 2004 13:08:02 -0000 1.1.1.3
@@ -161,7 +161,7 @@
{
char buf[16], *p;
int cpu = (int) ctl->extra1;
- int len, left = *lenp;
+ size_t len, left = *lenp;
if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
*lenp = 0;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-07-15 13:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-15 13:08 cpufreq/linux/drivers/cpufreq userspace.c,1.1.1.2,1.1.1.3 Ducrot Bruno
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.