Re: FW: [PATCH] cs5535_gpio: Fix root triggerable integer underflow
From: Ben Gardner
Date: Fri Jul 24 2009 - 13:40:44 EST
Hi Michael,
> This patch fixes a possible root triggerable (I hope the device is only
> readable by root?) integer underflow.
> Well, it's not really an underflow, but as loff_t is a signed type, the
> range check at the start of the function is incomplete. It needs to
> check for <0, too.
> Otherwise the loop below will poke into random memory and I/O space.
> This could be used to crash the machine, at least.
>
> This patch is only compiletested, because I do not have the hardware.
>
> Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
>
> ---
>
> I'm not sure if this bug is exploitable. I _guess_ the device is only
> readable by root
> on a standard setup.
The cs5525_gpio driver uses the default seek, which doesn't allow
negative position values.
So, I don't think it necessary to check for negative values.
Ben
> ---
> drivers/char/cs5535_gpio.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- linux-2.6.orig/drivers/char/cs5535_gpio.c
> +++ linux-2.6/drivers/char/cs5535_gpio.c
> @@ -124,21 +124,21 @@ static ssize_t cs5535_gpio_write(struct
> static ssize_t cs5535_gpio_read(struct file *file, char __user *buf,
> size_t len, loff_t *ppos)
> {
> u32 m = iminor(file->f_path.dentry->d_inode);
> u32 base = gpio_base + cs5535_lowhigh_base(m);
> int rd_bit = 1 << (m & 0x0f);
> int i;
> char ch;
> ssize_t count = 0;
>
> - if (*ppos >= ARRAY_SIZE(rm))
> + if (*ppos < 0 || *ppos >= ARRAY_SIZE(rm))
> return 0;
>
> for (i = *ppos; (i < (*ppos + len)) && (i < ARRAY_SIZE(rm));
> i++) {
> ch = (inl(base + rm[i].rd_offset) & rd_bit) ?
> rm[i].on : rm[i].off;
>
> if (put_user(ch, buf+count))
> return -EFAULT;
>
> count++;
>
> --
> Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/