[PATCH] SN2: security hole in sn2_ptc_proc

public inbox for linux-ia64@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] SN2: security hole in sn2_ptc_proc_write
@ 2008-06-19 22:08 Cliff Wickman
  2008-06-22 17:41 ` Andi Kleen
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Cliff Wickman @ 2008-06-19 22:08 UTC (permalink / raw)
  To: linux-ia64



From: Cliff Wickman <cpw@sgi.com>

Security hole in sn2_ptc_proc_write

It is possible to overrun a buffer with a write to this /proc file.

Diffed against 2.6.26-rc5

Signed-off-by: Cliff Wickman <cpw@sgi.com>
---
 arch/ia64/sn/kernel/sn2/sn2_smp.c |    2 ++
 1 file changed, 2 insertions(+)

Index: linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
=================================--- linux-2.6.orig/arch/ia64/sn/kernel/sn2/sn2_smp.c
+++ linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
@@ -512,6 +512,8 @@ static ssize_t sn2_ptc_proc_write(struct
 	int cpu;
 	char optstr[64];
 
+	if (count > 64)
+		return -EINVAL;
 	if (copy_from_user(optstr, user, count))
 		return -EFAULT;
 	optstr[count - 1] = '\0';

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
  2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
@ 2008-06-22 17:41 ` Andi Kleen
  2008-06-22 18:58 ` Bernhard Walle
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Andi Kleen @ 2008-06-22 17:41 UTC (permalink / raw)
  To: linux-ia64

Cliff Wickman <cpw@sgi.com> writes:
>
> Signed-off-by: Cliff Wickman <cpw@sgi.com>
> ---
>  arch/ia64/sn/kernel/sn2/sn2_smp.c |    2 ++
>  1 file changed, 2 insertions(+)
>
> Index: linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
> =================================> --- linux-2.6.orig/arch/ia64/sn/kernel/sn2/sn2_smp.c
> +++ linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
> @@ -512,6 +512,8 @@ static ssize_t sn2_ptc_proc_write(struct
>  	int cpu;
>  	char optstr[64];
>  
> +	if (count > 64)
> +		return -EINVAL;
>  	if (copy_from_user(optstr, user, count))
>  		return -EFAULT;
>  	optstr[count - 1] = '\0';


When someone passes 0 you get an buffer underflow? 

You need if (count < 0 || count > 64) me thinks.

-Andi

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
  2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
  2008-06-22 17:41 ` Andi Kleen
@ 2008-06-22 18:58 ` Bernhard Walle
  2008-06-22 19:13 ` Petr Tesarik
  2008-06-22 20:04 ` Andi Kleen
  3 siblings, 0 replies; 5+ messages in thread
From: Bernhard Walle @ 2008-06-22 18:58 UTC (permalink / raw)
  To: linux-ia64

* Andi Kleen <andi@firstfloor.org> [2008-06-22 19:41]:
>
> You need if (count < 0 || count > 64) me thinks.

size_t is unsigned.


Bernhard
-- 
Bernhard Walle, SUSE LINUX Products GmbH, Architecture Development

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
  2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
  2008-06-22 17:41 ` Andi Kleen
  2008-06-22 18:58 ` Bernhard Walle
@ 2008-06-22 19:13 ` Petr Tesarik
  2008-06-22 20:04 ` Andi Kleen
  3 siblings, 0 replies; 5+ messages in thread
From: Petr Tesarik @ 2008-06-22 19:13 UTC (permalink / raw)
  To: linux-ia64

On Sun, 2008-06-22 at 20:58 +0200, Bernhard Walle wrote:
> * Andi Kleen <andi@firstfloor.org> [2008-06-22 19:41]:
> >
> > You need if (count < 0 || count > 64) me thinks.
> 
> size_t is unsigned.

Correct, that's why you need:

  if (count <= 0 || count > 64)

Cheers,
Petr Tesarik



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
  2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
                   ` (2 preceding siblings ...)
  2008-06-22 19:13 ` Petr Tesarik
@ 2008-06-22 20:04 ` Andi Kleen
  3 siblings, 0 replies; 5+ messages in thread
From: Andi Kleen @ 2008-06-22 20:04 UTC (permalink / raw)
  To: linux-ia64

Bernhard Walle wrote:
> * Andi Kleen <andi@firstfloor.org> [2008-06-22 19:41]:
>> You need if (count < 0 || count > 64) me thinks.
> 
> size_t is unsigned.

Yes = or <= sorry. 

-Andi


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-06-22 20:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
2008-06-22 17:41 ` Andi Kleen
2008-06-22 18:58 ` Bernhard Walle
2008-06-22 19:13 ` Petr Tesarik
2008-06-22 20:04 ` Andi Kleen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox