Re: [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

[Sergey Vlasov <vsu@altlinux.ru>]

On Tue, 4 Apr 2006 16:59:47 -0700 gregkh@suse.de wrote:

> No one should be writing a PAGE_SIZE worth of data to a normal sysfs
> file, so properly terminate the buffer.
> 
> Thanks to Al Viro for pointing out my stupidity here.
> 
> CVE-2006-1055 has been assigned for this.
> 
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> 
> ---
>  fs/sysfs/file.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- linux-2.6.16.1.orig/fs/sysfs/file.c
> +++ linux-2.6.16.1/fs/sysfs/file.c
> @@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * 
>  		return -ENOMEM;
>  
>  	if (count >= PAGE_SIZE)
> -		count = PAGE_SIZE;
> +		count = PAGE_SIZE - 1;
>  	error = copy_from_user(buffer->page,buf,count);
>  	buffer->needs_read_fill = 1;
>  	return error ? -EFAULT : count;

This will break the "color_map" sysfs file for framebuffers -
drivers/video/fbsysfs.c:store_cmap() expects to get exactly 4096 bytes
for a colormap with 256 entries.  In fact, the original patch which
changed PAGE_SIZE - 1 to PAGE_SIZE:

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9d9d27fb651a7c95a46f276bacb4329db47470a6

was done exactly for use with that "color_map" file.

This patch also does not completely guarantee that the buffer will be
null-terminated.  A program may first call read() on the sysfs file,
which will allocate buffer->page and invoke ->show to fill that page;
then subsequent write() on the same file will reuse buffer->page.  To
get really bad results, you need to have ->store which assumes
null-terminated buffer together with ->show which writes to the last
byte of the page (which is probably rare, but show_cmap() does exactly
that).

Attachment: pgphtp1pFFhYo.pgp
Description: PGP signature