From patchwork Mon Jul 20 22:58:44 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Buesch X-Patchwork-Id: 36418 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n6KMwv72020576 for ; Mon, 20 Jul 2009 22:58:57 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753838AbZGTW6z (ORCPT ); Mon, 20 Jul 2009 18:58:55 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754173AbZGTW6z (ORCPT ); Mon, 20 Jul 2009 18:58:55 -0400 Received: from bu3sch.de ([62.75.166.246]:46759 "EHLO vs166246.vserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753838AbZGTW6x (ORCPT ); Mon, 20 Jul 2009 18:58:53 -0400 Received: by vs166246.vserver.de with esmtpa (Exim 4.69) id 1MT1oq-00031B-Rd; Mon, 20 Jul 2009 22:58:52 +0000 From: Michael Buesch To: kyle@mcmartin.ca, deller@gmx.de Subject: [PATCH] parisc-isa-eeprom: Fix loff_t usage Date: Tue, 21 Jul 2009 00:58:44 +0200 User-Agent: KMail/1.9.9 Cc: linux-parisc@vger.kernel.org X-Move-Along: Nothing to see here. No, really... Nothing. MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200907210058.44737.mb@bu3sch.de> Sender: linux-parisc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-parisc@vger.kernel.org loff_t is a signed type. If userspace passes a negative ppos, the "count" range check is weakened. "count"s bigger than HPEE_MAX_LENGTH will pass the check. Also, if ppos is negative, the readb(eisa_eeprom_addr + *ppos) will poke in random memory. Signed-off-by: Michael Buesch Cc: stable@kernel.org --- Patch is untested due to lack of hardware. --- drivers/parisc/eisa_eeprom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.orig/drivers/parisc/eisa_eeprom.c +++ linux-2.6/drivers/parisc/eisa_eeprom.c @@ -48,21 +48,21 @@ static loff_t eisa_eeprom_llseek(struct return (offset >= 0 && offset < HPEE_MAX_LENGTH) ? (file->f_pos = offset) : -EINVAL; } static ssize_t eisa_eeprom_read(struct file * file, char __user *buf, size_t count, loff_t *ppos ) { unsigned char *tmp; ssize_t ret; int i; - if (*ppos >= HPEE_MAX_LENGTH) + if (*ppos < 0 || *ppos >= HPEE_MAX_LENGTH) return 0; count = *ppos + count < HPEE_MAX_LENGTH ? count : HPEE_MAX_LENGTH - *ppos; tmp = kmalloc(count, GFP_KERNEL); if (tmp) { for (i = 0; i < count; i++) tmp[i] = readb(eisa_eeprom_addr+(*ppos)++); if (copy_to_user (buf, tmp, count)) ret = -EFAULT;