From: Cliff Wickman Date: Thu, 19 Jun 2008 16:16:24 +0000 (-0500) Subject: x86, SGI UV: TLB shootdown using broadcast assist unit, v6 X-Git-Tag: v2.6.27-rc1~1106^2~244^2~1 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cef53278682eb2604cbd99de64cdb59a8b35235a;p=linux-2.6 x86, SGI UV: TLB shootdown using broadcast assist unit, v6 v6: 6/19 close the security hole in uv_ptc_proc_write()) > Found a potential security hole while doing that: > static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, > size_t count, loff_t *data) > if (copy_from_user(optstr, user, count)) > return -EFAULT; > > is count guaranteed to never be larger than 64? is fixed below. It adds tlb_uv.o to the Makefile. Signed-off-by: Cliff Wickman Cc: mingo@elte.hu Signed-off-by: Ingo Molnar --- diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c index b362913f01..c503b7f044 100644 --- a/arch/x86/kernel/tlb_uv.c +++ b/arch/x86/kernel/tlb_uv.c @@ -492,6 +492,8 @@ static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, long newmode; char optstr[64]; + if (count > 64) + return -EINVAL; if (copy_from_user(optstr, user, count)) return -EFAULT; optstr[count - 1] = '\0';