[patch] s390: potential buffer overflow

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch] s390: potential buffer overflow
@ 2010-03-30  9:43 Dan Carpenter
  2010-03-30 16:25 ` Eric W. Biederman
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2010-03-30  9:43 UTC (permalink / raw)
  To: Martin Schwidefsky
  Cc: Heiko Carstens, linux390, Hans-Joachim Picht, Eric W. Biederman,
	Sebastian Ott, linux-s390, linux-kernel, kernel-janitors

"len" hasn't been properly range checked so we shouldn't use it as an
array offset.  This can only be written to by root but it would still be
annoying to accidentally write more than 3 characters and corrupt your
memory.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
I don't have a cross compile environment to compile this.  Sorry.  :/

diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c
index f449c69..72c2e90 100644
--- a/drivers/s390/char/sclp_async.c
+++ b/drivers/s390/char/sclp_async.c
@@ -84,7 +84,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
 		rc = copy_from_user(buf, buffer, sizeof(buf));
 		if (rc != 0)
 			return -EFAULT;
-		buf[len - 1] = '\0';
+		buf[sizeof(buf) - 1] = '\0';
 		if (strict_strtoul(buf, 0, &val) != 0)
 			return -EINVAL;
 		if (val != 0 && val != 1)
@@ -99,6 +99,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
 static struct ctl_table callhome_table[] = {
 	{
 		.procname	= "callhome",
+		.maxlen		= 3,
 		.mode		= 0644,
 		.proc_handler	= proc_handler_callhome,
 	},

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [patch] s390: potential buffer overflow
  2010-03-30  9:43 [patch] s390: potential buffer overflow Dan Carpenter
@ 2010-03-30 16:25 ` Eric W. Biederman
  2010-03-30 16:45   ` [patch v2] " Dan Carpenter
  0 siblings, 1 reply; 3+ messages in thread
From: Eric W. Biederman @ 2010-03-30 16:25 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Martin Schwidefsky, Heiko Carstens, linux390, Hans-Joachim Picht,
	Sebastian Ott, linux-s390, linux-kernel, kernel-janitors

Dan Carpenter <error27@gmail.com> writes:

> "len" hasn't been properly range checked so we shouldn't use it as an
> array offset.  This can only be written to by root but it would still be
> annoying to accidentally write more than 3 characters and corrupt your
> memory.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> I don't have a cross compile environment to compile this.  Sorry.  :/
>
> diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c
> index f449c69..72c2e90 100644
> --- a/drivers/s390/char/sclp_async.c
> +++ b/drivers/s390/char/sclp_async.c
> @@ -84,7 +84,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
>  		rc = copy_from_user(buf, buffer, sizeof(buf));
>  		if (rc != 0)
>  			return -EFAULT;
> -		buf[len - 1] = '\0';
> +		buf[sizeof(buf) - 1] = '\0';
>  		if (strict_strtoul(buf, 0, &val) != 0)
>  			return -EINVAL;
>  		if (val != 0 && val != 1)
> @@ -99,6 +99,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
>  static struct ctl_table callhome_table[] = {
>  	{
>  		.procname	= "callhome",
> +		.maxlen		= 3,
>  		.mode		= 0644,
>  		.proc_handler	= proc_handler_callhome,
>  	},

Setting maxlen won't do any good as proc_handler_callhome doesn't look at it.

Eric


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [patch v2] s390: potential buffer overflow
  2010-03-30 16:25 ` Eric W. Biederman
@ 2010-03-30 16:45   ` Dan Carpenter
  0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2010-03-30 16:45 UTC (permalink / raw)
  To: Eric W. Biederman
  Cc: Martin Schwidefsky, Heiko Carstens, linux390, Hans-Joachim Picht,
	Sebastian Ott, linux-s390, linux-kernel, kernel-janitors

"len" hasn't been properly range checked so we shouldn't use it as an
array offset.  This can only be written to by root but it would still be
annoying to accidentally write more than 3 characters and corrupt your
memory.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
v2.  Removed a superfluous chunk from my first patch.  I didn't
understand how ->maxlen worked.

diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c
index f449c69..38a9f55 100644
--- a/drivers/s390/char/sclp_async.c
+++ b/drivers/s390/char/sclp_async.c
@@ -84,7 +84,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
 		rc = copy_from_user(buf, buffer, sizeof(buf));
 		if (rc != 0)
 			return -EFAULT;
-		buf[len - 1] = '\0';
+		buf[sizeof(buf) - 1] = '\0';
 		if (strict_strtoul(buf, 0, &val) != 0)
 			return -EINVAL;
 		if (val != 0 && val != 1)

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-03-30 16:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-30  9:43 [patch] s390: potential buffer overflow Dan Carpenter
2010-03-30 16:25 ` Eric W. Biederman
2010-03-30 16:45   ` [patch v2] " Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox