lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200907181328.36292.mb@bu3sch.de>
Date:	Sat, 18 Jul 2009 13:28:36 +0200
From:	Michael Buesch <mb@...sch.de>
To:	Ben Gardner <bgardner@...tec.com>
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH] cs5535_gpio: Fix root triggerable integer underflow

This patch fixes a possible root triggerable (I hope the device is only
readable by root?) integer underflow.
Well, it's not really an underflow, but as loff_t is a signed type, the
range check at the start of the function is incomplete. It needs to check for <0, too.
Otherwise the loop below will poke into random memory and I/O space.
This could be used to crash the machine, at least.

This patch is only compiletested, because I do not have the hardware.

Signed-off-by: Michael Buesch <mb@...sch.de>

---

I'm not sure if this bug is exploitable. I _guess_ the device is only readable by root
on a standard setup.

---
 drivers/char/cs5535_gpio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.orig/drivers/char/cs5535_gpio.c
+++ linux-2.6/drivers/char/cs5535_gpio.c
@@ -124,21 +124,21 @@ static ssize_t cs5535_gpio_write(struct 
 static ssize_t cs5535_gpio_read(struct file *file, char __user *buf,
 				size_t len, loff_t *ppos)
 {
 	u32	m = iminor(file->f_path.dentry->d_inode);
 	u32	base = gpio_base + cs5535_lowhigh_base(m);
 	int	rd_bit = 1 << (m & 0x0f);
 	int	i;
 	char	ch;
 	ssize_t	count = 0;
 
-	if (*ppos >= ARRAY_SIZE(rm))
+	if (*ppos < 0 || *ppos >= ARRAY_SIZE(rm))
 		return 0;
 
 	for (i = *ppos; (i < (*ppos + len)) && (i < ARRAY_SIZE(rm)); i++) {
 		ch = (inl(base + rm[i].rd_offset) & rd_bit) ?
 		     rm[i].on : rm[i].off;
 
 		if (put_user(ch, buf+count))
 			return -EFAULT;
 
 		count++;

-- 
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ