User: Password:
|
|
Subscribe / Log in / New account

[patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

From:  gregkh-AT-suse.de
To:  linux-kernel-AT-vger.kernel.org, stable-AT-kernel.org
Subject:  [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
Date:  Tue, 4 Apr 2006 16:59:47 -0700
Cc:  Justin Forbes <jmforbes-AT-linuxtx.org>, Zwane Mwaikambo <zwane-AT-arm.linux.org.uk>, Theodore Ts'o <tytso-AT-mit.edu>, Randy Dunlap <rdunlap-AT-xenotime.net>, Dave Jones <davej-AT-redhat.com>, Chuck Wolber <chuckw-AT-quantumlinux.com>, torvalds-AT-osdl.org, akpm-AT-osdl.org, alan-AT-lxorguk.ukuu.org.uk, Greg Kroah-Hartman <gregkh-AT-suse.de>
Archive-link:  Article, Thread

No one should be writing a PAGE_SIZE worth of data to a normal sysfs
file, so properly terminate the buffer.

Thanks to Al Viro for pointing out my stupidity here.

CVE-2006-1055 has been assigned for this.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/sysfs/file.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.16.1.orig/fs/sysfs/file.c
+++ linux-2.6.16.1/fs/sysfs/file.c
@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * 
 		return -ENOMEM;
 
 	if (count >= PAGE_SIZE)
-		count = PAGE_SIZE;
+		count = PAGE_SIZE - 1;
 	error = copy_from_user(buffer->page,buf,count);
 	buffer->needs_read_fill = 1;
 	return error ? -EFAULT : count;

--


(Log in to post comments)


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds