On 10/16/2013 11:53 PM, Ben Hutchings wrote:
> Commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 introduces a trivial
> local denial of service.
>
>> --- a/arch/powerpc/kernel/vio.c
>> +++ b/arch/powerpc/kernel/vio.c
>> @@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct devi
>> const char *cp;
>>
>> dn = dev->of_node;
>> - if (!dn)
>> - return -ENODEV;
>> + if (!dn) {
>> + strcat(buf, "\n");
>
> Every read from the same sysfs file handle uses the same buffer, which
> gets zero-initialised just once. So if I open the file, read it and
> seek back to 0 repeatedly, I can make modalias_show() write arbitrary
> numbers of newlines into *and beyond* that page-sized buffer.
>
> Obviously strcat() should be strcpy().
>
D'oh! Of course -- I wasn't thinking clearly about that. I'll send out a new
patch.
P.
> Ben.
>
>> + return strlen(buf);
>> + }
>> cp = of_get_property(dn, "compatible", NULL);
>> - if (!cp)
>> - return -ENODEV;
>> + if (!cp) {
>> + strcat(buf, "\n");
>> + return strlen(buf);
>> + }
>>
>> return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp);
>> }
>
_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
