[ibm-acpi-devel] [PATCH] thinkpad-acpi: Avoid heap buffer overrun

Tue, 21 Jul 2009 08:08:22 -0700 

Avoid a heap buffer overrun triggered by an integer overflow of the userspace
controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will overflow
to ((size_t)-1l + 2) = 1, so only one byte will be allocated. However, 
copy_from_user()
will attempt to copy 0xFFFFFFFF (or 0xFFFFFFFFFFFFFFFF on 64bit) bytes to the 
buffer.

A possible testcase could look like this:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

int main(int argc, char **argv)
{
        int fd;
        char c;

        if (argc != 2) {
                printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
                return 1;
        }
        fd = open(argv[1], O_RDWR);
        if (fd < 0) {
                printf("Could not open proc file\n");
                return 1;
        }
        write(fd, &c, (size_t)-1l);
}

We avoid the integer overrun by putting an arbitrary limit on the count.
PAGE_SIZE sounds like a sane limit.

Signed-off-by: Michael Buesch <m...@bu3sch.de>

---

This patch is completely untested due to lack of supported device.
The proc file is only writeable by root, so it's probably not exploitable as-is.

---
 drivers/platform/x86/thinkpad_acpi.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.orig/drivers/platform/x86/thinkpad_acpi.c
+++ linux-2.6/drivers/platform/x86/thinkpad_acpi.c
@@ -777,20 +777,22 @@ static int dispatch_procfs_read(char *pa
 static int dispatch_procfs_write(struct file *file,
                        const char __user *userbuf,
                        unsigned long count, void *data)
 {
        struct ibm_struct *ibm = data;
        char *kernbuf;
        int ret;
 
        if (!ibm || !ibm->write)
                return -EINVAL;
+       if (count > PAGE_SIZE - 2)
+               return -EINVAL;
 
        kernbuf = kmalloc(count + 2, GFP_KERNEL);
        if (!kernbuf)
                return -ENOMEM;
 
        if (copy_from_user(kernbuf, userbuf, count)) {
                kfree(kernbuf);
                return -EFAULT;
        }
 
 

-- 
Greetings, Michael.

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
ibm-acpi-devel mailing list
ibm-acpi-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ibm-acpi-devel

Reply via email to