diff options
| author | Cliff Wickman <cpw@sgi.com> | 2008-06-19 12:16:24 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@elte.hu> | 2008-07-08 06:23:30 -0400 |
| commit | cef53278682eb2604cbd99de64cdb59a8b35235a (patch) | |
| tree | b57124c7b03d7ac92ada52d5a783c4e0d8edcc8d /arch/x86/kernel/tlb_uv.c | |
| parent | ab9c0bb8a8c1d71dd303abdaa61ec496128e2fbe (diff) | |
x86, SGI UV: TLB shootdown using broadcast assist unit, v6
v6: 6/19 close the security hole in uv_ptc_proc_write())
> Found a potential security hole while doing that:
> static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user,
> size_t count, loff_t *data)
> if (copy_from_user(optstr, user, count))
> return -EFAULT;
>
> is count guaranteed to never be larger than 64?
is fixed below.
It adds tlb_uv.o to the Makefile.
Signed-off-by: Cliff Wickman <cpw@sgi.com>
Cc: mingo@elte.hu
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Diffstat (limited to 'arch/x86/kernel/tlb_uv.c')
| -rw-r--r-- | arch/x86/kernel/tlb_uv.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c index b362913f0199..c503b7f04481 100644 --- a/arch/x86/kernel/tlb_uv.c +++ b/arch/x86/kernel/tlb_uv.c | |||
| @@ -492,6 +492,8 @@ static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, | |||
| 492 | long newmode; | 492 | long newmode; |
| 493 | char optstr[64]; | 493 | char optstr[64]; |
| 494 | 494 | ||
| 495 | if (count > 64) | ||
| 496 | return -EINVAL; | ||
| 495 | if (copy_from_user(optstr, user, count)) | 497 | if (copy_from_user(optstr, user, count)) |
| 496 | return -EFAULT; | 498 | return -EFAULT; |
| 497 | optstr[count - 1] = '\0'; | 499 | optstr[count - 1] = '\0'; |