| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1KAm9h-0002Fe-8a@eag09.americas.sgi.com> Date: Mon, 23 Jun 2008 08:32:25 -0500 From: Cliff Wickman <cpw@....com> To: mingo@...e.hu Cc: linux-kernel@...r.kernel.org Subject: [PATCH] SGI UV: uv_ptc_proc_write security hole From: Cliff Wickman <cpw@....com> Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics, causing optstr[count - 1] = '\0'; to write to who-knows-where. (Andi Kleen noticed this need from a patch I sent for similar code in the ia64 world (sn2_ptc_proc_write()).) (count less than zero is not possible here, as count is unsigned) Diffed against 2.6.26-rc6 Signed-off-by: Cliff Wickman <cpw@....com> --- arch/x86/kernel/tlb_uv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: linux/arch/x86/kernel/tlb_uv.c =================================================================== --- linux.orig/arch/x86/kernel/tlb_uv.c +++ linux/arch/x86/kernel/tlb_uv.c @@ -492,7 +492,7 @@ static ssize_t uv_ptc_proc_write(struct long newmode; char optstr[64]; - if (count > 64) + if (count == 0 || count > sizeof(optstr)) return -EINVAL; if (copy_from_user(optstr, user, count)) return -EFAULT; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists