Re: [PATCH] thinkpad-acpi: Avoid heap buffer overrun
From: Michael Buesch
Date: Tue Jul 21 2009 - 06:47:50 EST
On Tuesday 21 July 2009 12:17:47 Michael Buesch wrote:
> On Tuesday 21 July 2009 12:16:17 Michael Buesch wrote:
> > Avoid a heap buffer overrun triggered by an integer overflow of the userspace
> > controlled "count" variable.
> > If userspace passes in a "count" of (size_t)-1l, the kmalloc size will overflow
> > to ((size_t)-1l + 2) = 1, so only one byte will be allocated. However, copy_from_user()
> > will attempt to copy 0xFFFFFFFF (or 0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer.
> >
> > A possible testcase could look like this:
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <unistd.h>
> > #include <fcntl.h>
> >
> > int main(int argc, char **argv)
> > {
> > int fd;
> > char c;
> >
> > if (argc != 2) {
> > printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
> > return 1;
> > }
> > fd = open(argv[1], O_RDWR);
> > if (fd < 0) {
> > printf("Could not open proc file\n");
> > return 1;
> > }
> > write(fd, &c, (size_t)-1l);
> > }
Hm, I just realized that for it to crash the source buffer must be big enough.
&c is on the stack. Maybe that's big enough to overrun the kmalloc()acted chunk
(there may be padding beyond the 1 byte). If it's not big enough, one must
malloc()ate a big buffer and pass it to write() instead.
This is all theoretical stuff, because I can't test it, but it looks sane. :)
> > We avoid the integer overrun by putting an arbitrary limit on the count.
> > PAGE_SIZE sounds like a sane limit.
> >
> > Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
>
> Whoops, forgot
> Cc: stable@xxxxxxxxxx
--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/