[OVERFLOW] in arch/mips/au1000/common/power.c

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Stefan Esser <s.esser@e-matters.de>
To: linux-kernel@vger.kernel.org
Subject: [OVERFLOW] in arch/mips/au1000/common/power.c
Date: Fri, 19 Mar 2004 19:35:15 +0100	[thread overview]
Message-ID: <20040319183515.GA29837@php.net> (raw)

Hi,

sorry for the possible double posting, but my other mail seems
to be lost...

The following code seems very fishy ;)

static int pm_do_freq(ctl_table * ctl, int write, struct file *file,
                      void *buffer, size_t * len)
{
        int retval = 0, i;
        unsigned long val, pll;
#define TMPBUFLEN 64
#define MAX_CPU_FREQ 396
        char buf[8], *p;

	...

        spin_lock_irqsave(&pm_lock, flags);
        if (!write) {
                *len = 0;
        } else {
                /* Parse the new frequency */
                if (*len > TMPBUFLEN - 1) {
                        spin_unlock_irqrestore(&pm_lock, flags);
                        return -EFAULT;
                }
                if (copy_from_user(buf, buffer, *len)) {
                        spin_unlock_irqrestore(&pm_lock, flags);
                        return -EFAULT;
                }
                buf[*len] = 0;
                p = buf;

Earth to linux kernel. Earth to linux kernel. Your buffer is only 8
bytes big and not TMPBUFLEN - 1

Looks like a 56 byte stackoverflow to me ;)

Stefan Esser

-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@e-matters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

                 reply	other threads:[~2004-03-19 18:37 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040319183515.GA29837@php.net \
    --to=s.esser@e-matters.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox