+ parisc-ledc-fix-potential-stack-overflow-in-led_proc_write.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Tue, 03 Aug 2010 15:40:02 -0700

The patch titled
     parisc: led.c: fix potential stack overflow in led_proc_write()
has been added to the -mm tree.  Its filename is
     parisc-ledc-fix-potential-stack-overflow-in-led_proc_write.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: parisc: led.c: fix potential stack overflow in led_proc_write()
From: Helge Deller <deller@xxxxxx>

Avoid potential stack overflow by correctly checking count parameter.

Signed-off-by: Helge Deller <deller@xxxxxx>
Reported-by: Ilja <ilja@xxxxxxxxxx>
Cc: Kyle McMartin <kyle@xxxxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 drivers/parisc/led.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff -puN drivers/parisc/led.c~parisc-ledc-fix-potential-stack-overflow-in-led_proc_write drivers/parisc/led.c

--- a/drivers/parisc/led.c~parisc-ledc-fix-potential-stack-overflow-in-led_proc_write
+++ a/drivers/parisc/led.c
@@ -176,16 +176,18 @@ static ssize_t led_proc_write(struct fil
 	size_t count, loff_t *pos)
 {
 	void *data = PDE(file->f_path.dentry->d_inode)->data;
-	char *cur, lbuf[count + 1];
+	char *cur, lbuf[32];
 	int d;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EACCES;
 
-	memset(lbuf, 0, count + 1);
+	if (count >= sizeof(lbuf))
+		count = sizeof(lbuf)-1;
 
 	if (copy_from_user(lbuf, buf, count))
 		return -EFAULT;
+	lbuf[count] = 0;
 
 	cur = lbuf;
 
_

Patches currently in -mm which might be from deller@xxxxxx are

parisc-fix-wrong-page-aligned-size-calculation-in-ioremapping-code.patch
kmap_atomic-make-kunmap_atomic-harder-to-misuse.patch
parisc-ledc-fix-potential-stack-overflow-in-led_proc_write.patch
dma-mapping-parisc-set-arch_dma_minalign.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





