* [PATCH] SN2: security hole in sn2_ptc_proc_write
@ 2008-06-19 22:08 Cliff Wickman
2008-06-22 17:41 ` Andi Kleen
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Cliff Wickman @ 2008-06-19 22:08 UTC (permalink / raw)
To: linux-ia64
From: Cliff Wickman <cpw@sgi.com>
Security hole in sn2_ptc_proc_write
It is possible to overrun a buffer with a write to this /proc file.
Diffed against 2.6.26-rc5
Signed-off-by: Cliff Wickman <cpw@sgi.com>
---
arch/ia64/sn/kernel/sn2/sn2_smp.c | 2 ++
1 file changed, 2 insertions(+)
Index: linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
=================================--- linux-2.6.orig/arch/ia64/sn/kernel/sn2/sn2_smp.c
+++ linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
@@ -512,6 +512,8 @@ static ssize_t sn2_ptc_proc_write(struct
int cpu;
char optstr[64];
+ if (count > 64)
+ return -EINVAL;
if (copy_from_user(optstr, user, count))
return -EFAULT;
optstr[count - 1] = '\0';
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
@ 2008-06-22 17:41 ` Andi Kleen
2008-06-22 18:58 ` Bernhard Walle
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Andi Kleen @ 2008-06-22 17:41 UTC (permalink / raw)
To: linux-ia64
Cliff Wickman <cpw@sgi.com> writes:
>
> Signed-off-by: Cliff Wickman <cpw@sgi.com>
> ---
> arch/ia64/sn/kernel/sn2/sn2_smp.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> Index: linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
> =================================> --- linux-2.6.orig/arch/ia64/sn/kernel/sn2/sn2_smp.c
> +++ linux-2.6/arch/ia64/sn/kernel/sn2/sn2_smp.c
> @@ -512,6 +512,8 @@ static ssize_t sn2_ptc_proc_write(struct
> int cpu;
> char optstr[64];
>
> + if (count > 64)
> + return -EINVAL;
> if (copy_from_user(optstr, user, count))
> return -EFAULT;
> optstr[count - 1] = '\0';
When someone passes 0 you get an buffer underflow?
You need if (count < 0 || count > 64) me thinks.
-Andi
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
2008-06-22 17:41 ` Andi Kleen
@ 2008-06-22 18:58 ` Bernhard Walle
2008-06-22 19:13 ` Petr Tesarik
2008-06-22 20:04 ` Andi Kleen
3 siblings, 0 replies; 5+ messages in thread
From: Bernhard Walle @ 2008-06-22 18:58 UTC (permalink / raw)
To: linux-ia64
* Andi Kleen <andi@firstfloor.org> [2008-06-22 19:41]:
>
> You need if (count < 0 || count > 64) me thinks.
size_t is unsigned.
Bernhard
--
Bernhard Walle, SUSE LINUX Products GmbH, Architecture Development
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
2008-06-22 17:41 ` Andi Kleen
2008-06-22 18:58 ` Bernhard Walle
@ 2008-06-22 19:13 ` Petr Tesarik
2008-06-22 20:04 ` Andi Kleen
3 siblings, 0 replies; 5+ messages in thread
From: Petr Tesarik @ 2008-06-22 19:13 UTC (permalink / raw)
To: linux-ia64
On Sun, 2008-06-22 at 20:58 +0200, Bernhard Walle wrote:
> * Andi Kleen <andi@firstfloor.org> [2008-06-22 19:41]:
> >
> > You need if (count < 0 || count > 64) me thinks.
>
> size_t is unsigned.
Correct, that's why you need:
if (count <= 0 || count > 64)
Cheers,
Petr Tesarik
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] SN2: security hole in sn2_ptc_proc_write
2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
` (2 preceding siblings ...)
2008-06-22 19:13 ` Petr Tesarik
@ 2008-06-22 20:04 ` Andi Kleen
3 siblings, 0 replies; 5+ messages in thread
From: Andi Kleen @ 2008-06-22 20:04 UTC (permalink / raw)
To: linux-ia64
Bernhard Walle wrote:
> * Andi Kleen <andi@firstfloor.org> [2008-06-22 19:41]:
>> You need if (count < 0 || count > 64) me thinks.
>
> size_t is unsigned.
Yes = or <= sorry.
-Andi
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-06-22 20:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-19 22:08 [PATCH] SN2: security hole in sn2_ptc_proc_write Cliff Wickman
2008-06-22 17:41 ` Andi Kleen
2008-06-22 18:58 ` Bernhard Walle
2008-06-22 19:13 ` Petr Tesarik
2008-06-22 20:04 ` Andi Kleen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox