[OVERFLOW] in arch/mips/au1000/common/power.c
From: Stefan Esser
Date: Fri Mar 19 2004 - 13:40:07 EST
Hi,
sorry for the possible double posting, but my other mail seems
to be lost...
The following code seems very fishy ;)
static int pm_do_freq(ctl_table * ctl, int write, struct file *file,
void *buffer, size_t * len)
{
int retval = 0, i;
unsigned long val, pll;
#define TMPBUFLEN 64
#define MAX_CPU_FREQ 396
char buf[8], *p;
...
spin_lock_irqsave(&pm_lock, flags);
if (!write) {
*len = 0;
} else {
/* Parse the new frequency */
if (*len > TMPBUFLEN - 1) {
spin_unlock_irqrestore(&pm_lock, flags);
return -EFAULT;
}
if (copy_from_user(buf, buffer, *len)) {
spin_unlock_irqrestore(&pm_lock, flags);
return -EFAULT;
}
buf[*len] = 0;
p = buf;
Earth to linux kernel. Earth to linux kernel. Your buffer is only 8
bytes big and not TMPBUFLEN - 1
Looks like a 56 byte stackoverflow to me ;)
Stefan Esser
--
--------------------------------------------------------------------------
Stefan Esser s.esser@xxxxxxxxxxxx
e-matters Security http://security.e-matters.de/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69
Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
Did I help you? Consider a gift: http://wishlist.suspekt.org/
--------------------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/