From: ebiederm@xmission.com (Eric W. Biederman)
To: Dan Carpenter <error27@gmail.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
linux390@de.ibm.com, Hans-Joachim Picht <hans@linux.vnet.ibm.com>,
Sebastian Ott <sebott@linux.vnet.ibm.com>,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] s390: potential buffer overflow
Date: Tue, 30 Mar 2010 16:25:01 +0000 [thread overview]
Message-ID: <m1k4strd42.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20100330094342.GJ5069@bicker> (Dan Carpenter's message of "Tue\, 30 Mar 2010 12\:43\:42 +0300")
Dan Carpenter <error27@gmail.com> writes:
> "len" hasn't been properly range checked so we shouldn't use it as an
> array offset. This can only be written to by root but it would still be
> annoying to accidentally write more than 3 characters and corrupt your
> memory.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> I don't have a cross compile environment to compile this. Sorry. :/
>
> diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c
> index f449c69..72c2e90 100644
> --- a/drivers/s390/char/sclp_async.c
> +++ b/drivers/s390/char/sclp_async.c
> @@ -84,7 +84,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
> rc = copy_from_user(buf, buffer, sizeof(buf));
> if (rc != 0)
> return -EFAULT;
> - buf[len - 1] = '\0';
> + buf[sizeof(buf) - 1] = '\0';
> if (strict_strtoul(buf, 0, &val) != 0)
> return -EINVAL;
> if (val != 0 && val != 1)
> @@ -99,6 +99,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
> static struct ctl_table callhome_table[] = {
> {
> .procname = "callhome",
> + .maxlen = 3,
> .mode = 0644,
> .proc_handler = proc_handler_callhome,
> },
Setting maxlen won't do any good as proc_handler_callhome doesn't look at it.
Eric
next prev parent reply other threads:[~2010-03-30 16:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-30 9:43 [patch] s390: potential buffer overflow Dan Carpenter
2010-03-30 16:25 ` Eric W. Biederman [this message]
2010-03-30 16:45 ` [patch v2] " Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1k4strd42.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=error27@gmail.com \
--cc=hans@linux.vnet.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux390@de.ibm.com \
--cc=schwidefsky@de.ibm.com \
--cc=sebott@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox