[patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
[Posted April 5, 2006 by corbet]
| From: |
| gregkh-AT-suse.de |
| To: |
| linux-kernel-AT-vger.kernel.org, stable-AT-kernel.org |
| Subject: |
| [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055) |
| Date: |
| Tue, 4 Apr 2006 16:59:47 -0700 |
| Cc: |
| Justin Forbes <jmforbes-AT-linuxtx.org>,
Zwane Mwaikambo <zwane-AT-arm.linux.org.uk>,
Theodore Ts'o <tytso-AT-mit.edu>,
Randy Dunlap <rdunlap-AT-xenotime.net>,
Dave Jones <davej-AT-redhat.com>,
Chuck Wolber <chuckw-AT-quantumlinux.com>, torvalds-AT-osdl.org,
akpm-AT-osdl.org, alan-AT-lxorguk.ukuu.org.uk,
Greg Kroah-Hartman <gregkh-AT-suse.de> |
No one should be writing a PAGE_SIZE worth of data to a normal sysfs
file, so properly terminate the buffer.
Thanks to Al Viro for pointing out my stupidity here.
CVE-2006-1055 has been assigned for this.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/sysfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16.1.orig/fs/sysfs/file.c
+++ linux-2.6.16.1/fs/sysfs/file.c
@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer *
return -ENOMEM;
if (count >= PAGE_SIZE)
- count = PAGE_SIZE;
+ count = PAGE_SIZE - 1;
error = copy_from_user(buffer->page,buf,count);
buffer->needs_read_fill = 1;
return error ? -EFAULT : count;
--
