On Thu, 2013-10-17 at 04:53 +0100, Ben Hutchings wrote:
> Commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 introduces a trivial
> local denial of service.
Oops. Prarit, please send a fix asap ! I'm travelling right now.
Thanks !
Ben.
> > --- a/arch/powerpc/kernel/vio.c
> > +++ b/arch/powerpc/kernel/vio.c
> > @@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct devi
> > const char *cp;
> >
> > dn = dev->of_node;
> > - if (!dn)
> > - return -ENODEV;
> > + if (!dn) {
> > + strcat(buf, "\n");
>
> Every read from the same sysfs file handle uses the same buffer, which
> gets zero-initialised just once. So if I open the file, read it and
> seek back to 0 repeatedly, I can make modalias_show() write arbitrary
> numbers of newlines into *and beyond* that page-sized buffer.
>
> Obviously strcat() should be strcpy().
>
> Ben.
>
> > + return strlen(buf);
> > + }
> > cp = of_get_property(dn, "compatible", NULL);
> > - if (!cp)
> > - return -ENODEV;
> > + if (!cp) {
> > + strcat(buf, "\n");
> > + return strlen(buf);
> > + }
> >
> > return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp);
> > }
>
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html