| commit | 5adbde98d6e305337b54ae7b758a84fe2bc67648 | |
| author | Michael Buesch <mb@bu3sch.de> | |
| Sat, 1 Aug 2009 17:19:33 +0000 (1 14:19 -0300) | ||
| committer | Henrique de Moraes Holschuh <hmh@hmh.eng.br> | |
| Sat, 1 Aug 2009 17:19:33 +0000 (1 14:19 -0300) | ||
| tree | 985dc853c80d7ecbc1386176a605b2aa2e6527e2 | treesnapshot (tar.gz zip) |
| parent | 97c163194f78b350d56e3b4e1633391087b1a66e | commitdiff |
thinkpad-acpi: Avoid heap buffer overrun
Avoid a heap buffer overrun triggered by an integer overflow of the
userspace controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
overflow to ((size_t)-1l + 2) = 1, so only one byte will be allocated.
However, copy_from_user() will attempt to copy 0xFFFFFFFF (or
0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer.
A possible testcase could look like this:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int fd;
char c;
if (argc != 2) {
printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDWR);
if (fd < 0) {
printf("Could not open proc file\n");
return 1;
}
write(fd, &c, (size_t)-1l);
}
We avoid the integer overrun by putting an arbitrary limit on the count.
PAGE_SIZE sounds like a sane limit.
(note: this bug exists at least since kernel 2.6.12...)
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
Avoid a heap buffer overrun triggered by an integer overflow of the
userspace controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
overflow to ((size_t)-1l + 2) = 1, so only one byte will be allocated.
However, copy_from_user() will attempt to copy 0xFFFFFFFF (or
0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer.
A possible testcase could look like this:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int fd;
char c;
if (argc != 2) {
printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDWR);
if (fd < 0) {
printf("Could not open proc file\n");
return 1;
}
write(fd, &c, (size_t)-1l);
}
We avoid the integer overrun by putting an arbitrary limit on the count.
PAGE_SIZE sounds like a sane limit.
(note: this bug exists at least since kernel 2.6.12...)
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
| drivers/platform/x86/thinkpad_acpi.c | diffblobblamehistory |