Re: [patch 03/26] sysfs: zero terminate sysfs write buffers(CVE-2006-1055)
From: Sergey Vlasov
Date: Wed Apr 05 2006 - 11:10:07 EST
On Tue, 4 Apr 2006 16:59:47 -0700 gregkh@xxxxxxx wrote:
> No one should be writing a PAGE_SIZE worth of data to a normal sysfs
> file, so properly terminate the buffer.
>
> Thanks to Al Viro for pointing out my stupidity here.
>
> CVE-2006-1055 has been assigned for this.
>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
>
> ---
> fs/sysfs/file.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- linux-2.6.16.1.orig/fs/sysfs/file.c
> +++ linux-2.6.16.1/fs/sysfs/file.c
> @@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer *
> return -ENOMEM;
>
> if (count >= PAGE_SIZE)
> - count = PAGE_SIZE;
> + count = PAGE_SIZE - 1;
> error = copy_from_user(buffer->page,buf,count);
> buffer->needs_read_fill = 1;
> return error ? -EFAULT : count;
This will break the "color_map" sysfs file for framebuffers -
drivers/video/fbsysfs.c:store_cmap() expects to get exactly 4096 bytes
for a colormap with 256 entries. In fact, the original patch which
changed PAGE_SIZE - 1 to PAGE_SIZE:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9d9d27fb651a7c95a46f276bacb4329db47470a6
was done exactly for use with that "color_map" file.
This patch also does not completely guarantee that the buffer will be
null-terminated. A program may first call read() on the sysfs file,
which will allocate buffer->page and invoke ->show to fill that page;
then subsequent write() on the same file will reuse buffer->page. To
get really bad results, you need to have ->store which assumes
null-terminated buffer together with ->show which writes to the last
byte of the page (which is probably rare, but show_cmap() does exactly
that).
Attachment:
pgp00000.pgp
Description: PGP signature