[PATCH] cs5535_gpio: Fix root triggerable integer underflow

From: Michael Buesch
Date: Sat Jul 18 2009 - 07:29:22 EST


This patch fixes a possible root triggerable (I hope the device is only
readable by root?) integer underflow.
Well, it's not really an underflow, but as loff_t is a signed type, the
range check at the start of the function is incomplete. It needs to check for <0, too.
Otherwise the loop below will poke into random memory and I/O space.
This could be used to crash the machine, at least.

This patch is only compiletested, because I do not have the hardware.

Signed-off-by: Michael Buesch <mb@xxxxxxxxx>

---

I'm not sure if this bug is exploitable. I _guess_ the device is only readable by root
on a standard setup.

---
drivers/char/cs5535_gpio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.orig/drivers/char/cs5535_gpio.c
+++ linux-2.6/drivers/char/cs5535_gpio.c
@@ -124,21 +124,21 @@ static ssize_t cs5535_gpio_write(struct
static ssize_t cs5535_gpio_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos)
{
u32 m = iminor(file->f_path.dentry->d_inode);
u32 base = gpio_base + cs5535_lowhigh_base(m);
int rd_bit = 1 << (m & 0x0f);
int i;
char ch;
ssize_t count = 0;

- if (*ppos >= ARRAY_SIZE(rm))
+ if (*ppos < 0 || *ppos >= ARRAY_SIZE(rm))
return 0;

for (i = *ppos; (i < (*ppos + len)) && (i < ARRAY_SIZE(rm)); i++) {
ch = (inl(base + rm[i].rd_offset) & rd_bit) ?
rm[i].on : rm[i].off;

if (put_user(ch, buf+count))
return -EFAULT;

count++;

--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/