See attached patch and analysis.
Considerations:
Nobody has tried to write a exploit for this bug yet, but it does seem like
it is exploitable.
By default, /proc/acpi/ibm/* can only be written to by root, and thus the
bug would only matter if it allows a restricted root user (say, on a SELinux
s
From: Michael Buesch
Avoid a heap buffer overrun triggered by an integer overflow of the
userspace controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
overflow to ((size_t)-1l + 2) = 1, so only one byte will be allocated.
However, copy_from_user()
On Tue, 21 Jul 2009, Michael Buesch wrote:
> Avoid a heap buffer overrun triggered by an integer overflow of the userspace
> controlled "count" variable.
> If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
> overflow
> to ((size_t)-1l + 2) = 1, so only one byte will be allocat
Avoid a heap buffer overrun triggered by an integer overflow of the userspace
controlled "count" variable.
If userspace passes in a "count" of (size_t)-1l, the kmalloc size will overflow
to ((size_t)-1l + 2) = 1, so only one byte will be allocated. However,
copy_from_user()
will attempt to copy 0x
On Tuesday 21 July 2009 12:17:47 Michael Buesch wrote:
> On Tuesday 21 July 2009 12:16:17 Michael Buesch wrote:
> > Avoid a heap buffer overrun triggered by an integer overflow of the
> > userspace
> > controlled "count" variable.
> > If userspace passes in a "count" of (size_t)-1l, the kmalloc si
On Tuesday 21 July 2009 12:16:17 Michael Buesch wrote:
> Avoid a heap buffer overrun triggered by an integer overflow of the userspace
> controlled "count" variable.
> If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
> overflow
> to ((size_t)-1l + 2) = 1, so only one byte wil
