[PATCH] sysctl: Make sure proc handlers can't expose heap memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just as a precaution, make sure that proc handlers don't accidentally
grow "count" beyond the allocated kbuf size.

Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
This applies to hch's sysctl cleanup tree...
---
 fs/proc/proc_sysctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 15030784566c..535ab26473af 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 	struct inode *inode = file_inode(filp);
 	struct ctl_table_header *head = grab_header(inode);
 	struct ctl_table *table = PROC_I(inode)->sysctl_entry;
+	size_t count_max = count;
 	void *kbuf;
 	ssize_t error;
 
@@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 
 	if (!write) {
 		error = -EFAULT;
+		if (WARN_ON(count > count_max))
+			count = count_max;
 		if (copy_to_user(ubuf, kbuf, count))
 			goto out_free_buf;
 	}
-- 
2.20.1


-- 
Kees Cook




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux