Re: [PATCH] powerpc/vio: Fix modalias_show return values
On 10/16/2013 11:53 PM, Ben Hutchings wrote:
Commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 introduces a trivial
local denial of service.
--- a/arch/powerpc/kernel/vio.c
+++ b/arch/powerpc/kernel/vio.c
@@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct devi
const char *cp;
dn = dev-of_node;
-if (!dn)
-return -ENODEV;
+if (!dn) {
+strcat(buf, \n);
Every read from the same sysfs file handle uses the same buffer, which
gets zero-initialised just once. So if I open the file, read it and
seek back to 0 repeatedly, I can make modalias_show() write arbitrary
numbers of newlines into *and beyond* that page-sized buffer.
Obviously strcat() should be strcpy().
D'oh! Of course -- I wasn't thinking clearly about that. I'll send out a new
patch.
P.
Ben.
+return strlen(buf);
+}
cp = of_get_property(dn, compatible, NULL);
-if (!cp)
-return -ENODEV;
+if (!cp) {
+strcat(buf, \n);
+return strlen(buf);
+}
return sprintf(buf, vio:T%sS%s\n, vio_dev-type, cp);
}
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] powerpc/vio: Fix modalias_show return values
Commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 introduces a trivial
local denial of service.
--- a/arch/powerpc/kernel/vio.c
+++ b/arch/powerpc/kernel/vio.c
@@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct devi
const char *cp;
dn = dev-of_node;
- if (!dn)
- return -ENODEV;
+ if (!dn) {
+ strcat(buf, \n);
Every read from the same sysfs file handle uses the same buffer, which
gets zero-initialised just once. So if I open the file, read it and
seek back to 0 repeatedly, I can make modalias_show() write arbitrary
numbers of newlines into *and beyond* that page-sized buffer.
Obviously strcat() should be strcpy().
Ben.
+ return strlen(buf);
+ }
cp = of_get_property(dn, compatible, NULL);
- if (!cp)
- return -ENODEV;
+ if (!cp) {
+ strcat(buf, \n);
+ return strlen(buf);
+ }
return sprintf(buf, vio:T%sS%s\n, vio_dev-type, cp);
}
--
Ben Hutchings
Horngren's Observation:
Among economists, the real world is often a special case.
signature.asc
Description: This is a digitally signed message part
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] powerpc/vio: Fix modalias_show return values
On Thu, 2013-10-17 at 04:53 +0100, Ben Hutchings wrote:
Commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 introduces a trivial
local denial of service.
Oops. Prarit, please send a fix asap ! I'm travelling right now.
Thanks !
Ben.
--- a/arch/powerpc/kernel/vio.c
+++ b/arch/powerpc/kernel/vio.c
@@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct devi
const char *cp;
dn = dev-of_node;
- if (!dn)
- return -ENODEV;
+ if (!dn) {
+ strcat(buf, \n);
Every read from the same sysfs file handle uses the same buffer, which
gets zero-initialised just once. So if I open the file, read it and
seek back to 0 repeatedly, I can make modalias_show() write arbitrary
numbers of newlines into *and beyond* that page-sized buffer.
Obviously strcat() should be strcpy().
Ben.
+ return strlen(buf);
+ }
cp = of_get_property(dn, compatible, NULL);
- if (!cp)
- return -ENODEV;
+ if (!cp) {
+ strcat(buf, \n);
+ return strlen(buf);
+ }
return sprintf(buf, vio:T%sS%s\n, vio_dev-type, cp);
}
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
