| commit | 0c342c27c89a8be1b5e22b41f6aec12e4e8a99a2 | |
| author | Michael Buesch <mb@bu3sch.de> | |
| Fri, 13 May 2011 12:22:04 +0000 (13 09:22 -0300) | ||
| committer | Henrique de Moraes Holschuh <hmh@hmh.eng.br> | |
| Fri, 13 May 2011 12:22:04 +0000 (13 09:22 -0300) | ||
| tree | 0baaf3995d3793223e055333d9f9e2fa278a7eb0 | treesnapshot (tar.gz zip) |
| parent | 2311e57c8004568d7cf9f450a6b5ebfb5c0a4557 | commitdiff |
thinkpad-acpi: Avoid heap buffer overrun
Avoid a heap buffer overrun triggered by an integer overflow of the
userspace controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
overflow to ((size_t)-1l + 2) = 1, so only one byte will be allocated.
However, copy_from_user() will attempt to copy 0xFFFFFFFF (or
0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer.
A possible testcase could look like this:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int fd;
char c;
if (argc != 2) {
printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDWR);
if (fd < 0) {
printf("Could not open proc file\n");
return 1;
}
write(fd, &c, (size_t)-1l);
}
We avoid the integer overrun by putting an arbitrary limit on the count.
PAGE_SIZE sounds like a sane limit.
(note: this bug exists at least since kernel 2.6.12...)
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
Avoid a heap buffer overrun triggered by an integer overflow of the
userspace controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
overflow to ((size_t)-1l + 2) = 1, so only one byte will be allocated.
However, copy_from_user() will attempt to copy 0xFFFFFFFF (or
0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer.
A possible testcase could look like this:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int fd;
char c;
if (argc != 2) {
printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDWR);
if (fd < 0) {
printf("Could not open proc file\n");
return 1;
}
write(fd, &c, (size_t)-1l);
}
We avoid the integer overrun by putting an arbitrary limit on the count.
PAGE_SIZE sounds like a sane limit.
(note: this bug exists at least since kernel 2.6.12...)
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
| drivers/platform/x86/thinkpad_acpi.c | diffblobblamehistory |