* [OVERFLOW] in arch/mips/au1000/common/power.c
@ 2004-03-19 18:35 Stefan Esser
0 siblings, 0 replies; only message in thread
From: Stefan Esser @ 2004-03-19 18:35 UTC (permalink / raw)
To: linux-kernel
Hi,
sorry for the possible double posting, but my other mail seems
to be lost...
The following code seems very fishy ;)
static int pm_do_freq(ctl_table * ctl, int write, struct file *file,
void *buffer, size_t * len)
{
int retval = 0, i;
unsigned long val, pll;
#define TMPBUFLEN 64
#define MAX_CPU_FREQ 396
char buf[8], *p;
...
spin_lock_irqsave(&pm_lock, flags);
if (!write) {
*len = 0;
} else {
/* Parse the new frequency */
if (*len > TMPBUFLEN - 1) {
spin_unlock_irqrestore(&pm_lock, flags);
return -EFAULT;
}
if (copy_from_user(buf, buffer, *len)) {
spin_unlock_irqrestore(&pm_lock, flags);
return -EFAULT;
}
buf[*len] = 0;
p = buf;
Earth to linux kernel. Earth to linux kernel. Your buffer is only 8
bytes big and not TMPBUFLEN - 1
Looks like a 56 byte stackoverflow to me ;)
Stefan Esser
--
--------------------------------------------------------------------------
Stefan Esser s.esser@e-matters.de
e-matters Security http://security.e-matters.de/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69
Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
Did I help you? Consider a gift: http://wishlist.suspekt.org/
--------------------------------------------------------------------------
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-03-19 18:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-19 18:35 [OVERFLOW] in arch/mips/au1000/common/power.c Stefan Esser
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox