From patchwork Thu Jan 20 20:08:06 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasiliy Kulikov X-Patchwork-Id: 492481 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p0KK8Gwa014053 for ; Thu, 20 Jan 2011 20:08:16 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754148Ab1ATUIP (ORCPT ); Thu, 20 Jan 2011 15:08:15 -0500 Received: from mail-ey0-f174.google.com ([209.85.215.174]:58665 "EHLO mail-ey0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751209Ab1ATUIP (ORCPT ); Thu, 20 Jan 2011 15:08:15 -0500 Received: by eye27 with SMTP id 27so525459eye.19 for ; Thu, 20 Jan 2011 12:08:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:from:to:cc:subject:date:message-id :x-mailer; bh=43GXnaARYS5ApqY5OPjGixsbum4A6lwkt2WOZo9ecZM=; b=eqcxZqLScstmYE9yppxgMhEeUEiz1tQXYbE1QuytBJYiP3n5Nw98QPFmg2hn2O9uP8 0US45yauBi1v2hjMK3t/lXi2hvXsKCoaH6iOy+QEhxRgfg+7PR4DR3XWBeQ76BJIymEX 4XTZYpo/jnznMbP+Pvdrs6TIK9j2mGI8YU2dk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:to:cc:subject:date:message-id:x-mailer; b=b+W3BpWHoPV/Q1Wl/VSJtZRaieZwOKVvcg1PqudoeM5MOXzn0548xGQhNdNzYa+gRr OwuO70QAif56u7fiOwydGJYCJjfWmMM9qpFP3ILMUpkFS8Kaqq8cHX7zFMYL61TGlqY7 WPOlSKdDCq+yMMSNZ3almE9Xjio9J2MO0RTwE= Received: by 10.213.15.11 with SMTP id i11mr3544320eba.98.1295554093225; Thu, 20 Jan 2011 12:08:13 -0800 (PST) Received: from localhost (ppp91-77-40-79.pppoe.mtu-net.ru [91.77.40.79]) by mx.google.com with ESMTPS id x54sm6828482eeh.23.2011.01.20.12.08.10 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 20 Jan 2011 12:08:11 -0800 (PST) From: Vasiliy Kulikov To: kernel-janitors@vger.kernel.org Cc: Len Brown , linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] acpi: debugfs: fix buffer overflows, double free Date: Thu, 20 Jan 2011 23:08:06 +0300 Message-Id: <1295554086-23873-1-git-send-email-segoon@openwall.com> X-Mailer: git-send-email 1.7.0.4 Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Thu, 20 Jan 2011 20:08:30 +0000 (UTC) diff --git a/drivers/acpi/debugfs.c b/drivers/acpi/debugfs.c index 5df67f1..384f7ab 100644 --- a/drivers/acpi/debugfs.c +++ b/drivers/acpi/debugfs.c @@ -26,7 +26,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, size_t count, loff_t *ppos) { static char *buf; - static int uncopied_bytes; + static u32 max_size; + static u32 uncopied_bytes; + struct acpi_table_header table; acpi_status status; @@ -37,19 +39,24 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, if (copy_from_user(&table, user_buf, sizeof(struct acpi_table_header))) return -EFAULT; - uncopied_bytes = table.length; - buf = kzalloc(uncopied_bytes, GFP_KERNEL); + uncopied_bytes = max_size = table.length; + buf = kzalloc(max_size, GFP_KERNEL); if (!buf) return -ENOMEM; } - if (uncopied_bytes < count) { - kfree(buf); + if (buf == NULL) + return -EINVAL; + + if ((*ppos > max_size) || + (*ppos + count > max_size) || + (*ppos + count < count) || + (count > uncopied_bytes)) return -EINVAL; - } if (copy_from_user(buf + (*ppos), user_buf, count)) { kfree(buf); + buf = NULL; return -EFAULT; } @@ -59,6 +66,7 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, if (!uncopied_bytes) { status = acpi_install_method(buf); kfree(buf); + buf = NULL; if (ACPI_FAILURE(status)) return -EINVAL; add_taint(TAINT_OVERRIDDEN_ACPI_TABLE);