From patchwork Mon Aug  2 20:46:41 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Helge Deller <deller@gmx.de>
X-Patchwork-Id: 116593
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter.kernel.org (8.14.4/8.14.3) with ESMTP id o72Kkmlm007351
	for <patchwork-parisc@patchwork.kernel.org>;
	Mon, 2 Aug 2010 20:46:48 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751547Ab0HBUqs (ORCPT
	<rfc822;patchwork-parisc@patchwork.kernel.org>);
	Mon, 2 Aug 2010 16:46:48 -0400
Received: from mailout-de.gmx.net ([213.165.64.22]:35291 "HELO mail.gmx.net"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with SMTP
	id S1751102Ab0HBUqr (ORCPT <rfc822;linux-parisc@vger.kernel.org>);
	Mon, 2 Aug 2010 16:46:47 -0400
Received: (qmail invoked by alias); 02 Aug 2010 20:46:45 -0000
Received: from p54AD1451.dip0.t-ipconnect.de (EHLO p100.box) [84.173.20.81]
	by mail.gmx.net (mp068) with SMTP; 02 Aug 2010 22:46:45 +0200
X-Authenticated: #1045983
X-Provags-ID: V01U2FsdGVkX19WBYll2BlW9eZMdKhHgiNweRmLWG5mBuOxjOGgoq
	La+oJdD5I+r3os
Date: Mon, 2 Aug 2010 22:46:41 +0200
From: Helge Deller <deller@gmx.de>
To: Andrew Morton <akpm@linux-foundation.org>, linux-parisc@vger.kernel.org,
	Kyle McMartin <kyle@mcmartin.ca>
Cc: Ilja <ilja@netric.org>, security@kernel.org, Helge Deller <deller@gmx.de>,
	"James E.J. Bottomley" <jejb@parisc-linux.org>
Subject: Re: [Security] [PATCH] bug in led_proc_write()
Message-ID: <20100802204641.GA2907@p100.box>
References: <52a11dc3cc92b1e13c028304d9a7beaa@81.11.193.46>
	<20100710170458.96dc8a65.akpm@linux-foundation.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20100710170458.96dc8a65.akpm@linux-foundation.org>
User-Agent: Mutt/1.5.20 (2009-08-17)
X-Y-GMX-Trusted: 0
Sender: linux-parisc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-parisc.vger.kernel.org>
X-Mailing-List: linux-parisc@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]);
	Mon, 02 Aug 2010 20:46:48 +0000 (UTC)


diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c
index 188bc84..d02be78 100644
--- a/drivers/parisc/led.c
+++ b/drivers/parisc/led.c
@@ -176,16 +176,18 @@ static ssize_t led_proc_write(struct file *file, const char *buf,
 	size_t count, loff_t *pos)
 {
 	void *data = PDE(file->f_path.dentry->d_inode)->data;
-	char *cur, lbuf[count + 1];
+	char *cur, lbuf[32];
 	int d;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EACCES;
 
-	memset(lbuf, 0, count + 1);
+	if (count >= sizeof(lbuf))
+		count = sizeof(lbuf)-1;
 
 	if (copy_from_user(lbuf, buf, count))
 		return -EFAULT;
+	lbuf[count] = 0;
 
 	cur = lbuf;