From patchwork Sat Aug 1 15:04:19 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Henrique de Moraes Holschuh X-Patchwork-Id: 38675 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n71F7LOT031149 for ; Sat, 1 Aug 2009 15:07:24 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751862AbZHAPHV (ORCPT ); Sat, 1 Aug 2009 11:07:21 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751872AbZHAPHV (ORCPT ); Sat, 1 Aug 2009 11:07:21 -0400 Received: from out1.smtp.messagingengine.com ([66.111.4.25]:39848 "EHLO out1.smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751862AbZHAPHI (ORCPT ); Sat, 1 Aug 2009 11:07:08 -0400 Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 5DDD93BD191; Sat, 1 Aug 2009 11:07:09 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Sat, 01 Aug 2009 11:07:09 -0400 X-Sasl-enc: Inor4+ixO0uP7PS5390y1wgG2FM4KvFLI3Vg9Q9Ff0MG 1249139214 Received: from khazad-dum.debian.net (unknown [201.82.166.239]) by mail.messagingengine.com (Postfix) with ESMTPSA id E750047661; Sat, 1 Aug 2009 11:06:54 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by localhost.khazad-dum.debian.net (Postfix) with ESMTP id D87092807C; Sat, 1 Aug 2009 12:07:06 -0300 (BRT) X-Virus-Scanned: Debian amavisd-new at khazad-dum.debian.net Received: from khazad-dum.debian.net ([127.0.0.1]) by localhost (khazad-dum.debian.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6qnZArl4B32z; Sat, 1 Aug 2009 12:07:06 -0300 (BRT) Received: by khazad-dum.debian.net (Postfix, from userid 1000) id 82C6428277; Sat, 1 Aug 2009 12:07:05 -0300 (BRT) From: Henrique de Moraes Holschuh To: Len Brown Cc: linux-acpi@vger.kernel.org, ibm-acpi-devel@lists.sourceforge.net, Michael Buesch , stable@kernel.org Subject: [PATCH 3/4] thinkpad-acpi: Avoid heap buffer overrun Date: Sat, 1 Aug 2009 12:04:19 -0300 Message-Id: <1249139060-15392-4-git-send-email-hmh@hmh.eng.br> X-Mailer: git-send-email 1.6.3.3 In-Reply-To: <1249139060-15392-1-git-send-email-hmh@hmh.eng.br> References: <1249139060-15392-1-git-send-email-hmh@hmh.eng.br> Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org From: Michael Buesch Avoid a heap buffer overrun triggered by an integer overflow of the userspace controlled "count" variable. If userspace passes in a "count" of (size_t)-1l, the kmalloc size will overflow to ((size_t)-1l + 2) = 1, so only one byte will be allocated. However, copy_from_user() will attempt to copy 0xFFFFFFFF (or 0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer. A possible testcase could look like this: #include #include #include #include int main(int argc, char **argv) { int fd; char c; if (argc != 2) { printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]); return 1; } fd = open(argv[1], O_RDWR); if (fd < 0) { printf("Could not open proc file\n"); return 1; } write(fd, &c, (size_t)-1l); } We avoid the integer overrun by putting an arbitrary limit on the count. PAGE_SIZE sounds like a sane limit. (note: this bug exists at least since kernel 2.6.12...) Signed-off-by: Michael Buesch Acked-by: Henrique de Moraes Holschuh Cc: stable@kernel.org --- drivers/platform/x86/thinkpad_acpi.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index 27d68e7..18f9ee6 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -766,6 +766,8 @@ static int dispatch_procfs_write(struct file *file, if (!ibm || !ibm->write) return -EINVAL; + if (count > PAGE_SIZE - 2) + return -EINVAL; kernbuf = kmalloc(count + 2, GFP_KERNEL); if (!kernbuf)