Commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 introduces a trivial
local denial of service.
> --- a/arch/powerpc/kernel/vio.c
> +++ b/arch/powerpc/kernel/vio.c
> @@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct devi
> const char *cp;
>
> dn = dev->of_node;
> - if (!dn)
> - return -ENODEV;
> + if (!dn) {
> + strcat(buf, "\n");
Every read from the same sysfs file handle uses the same buffer, which
gets zero-initialised just once. So if I open the file, read it and
seek back to 0 repeatedly, I can make modalias_show() write arbitrary
numbers of newlines into *and beyond* that page-sized buffer.
Obviously strcat() should be strcpy().
Ben.
> + return strlen(buf);
> + }
> cp = of_get_property(dn, "compatible", NULL);
> - if (!cp)
> - return -ENODEV;
> + if (!cp) {
> + strcat(buf, "\n");
> + return strlen(buf);
> + }
>
> return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp);
> }
--
Ben Hutchings
Horngren's Observation:
Among economists, the real world is often a special case.
Attachment:
signature.asc
Description: This is a digitally signed message part