[patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

From: gregkh
Date: Tue Apr 04 2006 - 20:01:36 EST

Next message: gregkh: "[patch 05/26] USB: usbcore: usb_set_configuration oops (NULL ptr dereference)"
Previous message: gregkh: "[patch 04/26] USB: EHCI full speed ISO bugfixes"
In reply to: gregkh: "[patch 04/26] USB: EHCI full speed ISO bugfixes"
Next in thread: Sergey Vlasov: "Re: [patch 03/26] sysfs: zero terminate sysfs write buffers(CVE-2006-1055)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

No one should be writing a PAGE_SIZE worth of data to a normal sysfs
file, so properly terminate the buffer.

Thanks to Al Viro for pointing out my stupidity here.

CVE-2006-1055 has been assigned for this.

Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
fs/sysfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.16.1.orig/fs/sysfs/file.c
+++ linux-2.6.16.1/fs/sysfs/file.c
@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer *
return -ENOMEM;

if (count >= PAGE_SIZE)
- count = PAGE_SIZE;
+ count = PAGE_SIZE - 1;
error = copy_from_user(buffer->page,buf,count);
buffer->needs_read_fill = 1;
return error ? -EFAULT : count;

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: gregkh: "[patch 05/26] USB: usbcore: usb_set_configuration oops (NULL ptr dereference)"
Previous message: gregkh: "[patch 04/26] USB: EHCI full speed ISO bugfixes"
In reply to: gregkh: "[patch 04/26] USB: EHCI full speed ISO bugfixes"
Next in thread: Sergey Vlasov: "Re: [patch 03/26] sysfs: zero terminate sysfs write buffers(CVE-2006-1055)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]