Re: CVE-2009-2584

From: Jack Steiner
Date: Thu Nov 05 2009 - 13:16:38 EST


On Thu, Nov 05, 2009 at 06:47:33PM +0100, Michael Buesch wrote:
> On Thursday 05 November 2009 18:38:21 Linus Torvalds wrote:
> > @@ -161,14 +161,15 @@ static int options_show(struct seq_file *s, void *p)
> > static ssize_t options_write(struct file *file, const char __user *userbuf,
> > size_t count, loff_t *data)
> > {
> > - unsigned long val;
> > - char buf[80];
> > + char buf[16];
> >
> > - if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
> > + if (count >= sizeof(buf))
> > + return -EINVAL;
> > + if (copy_from_user(buf, userbuf, count))
> > return -EFAULT;
> > - buf[count - 1] = '\0';
> > - if (!strict_strtoul(buf, 10, &val))
> > - gru_options = val;
> > + buf[count] = '\0';
> > + if (strict_strtoul(buf, 0, &gru_options))
> > + return -EINVAL;
> >
> > return count;
> > }
> >
> >
>
> Looks OK to me. I can't test it however, as I don't own the hardware.

"buf" should be larger than 16. The string could be "0x" + 16 characters.

I'll verify the the rest.


We have the hardware :-)


--- jack
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/