Re: [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

On Tue, 4 Apr 2006 16:59:47 -0700 [email protected] wrote:

> No one should be writing a PAGE_SIZE worth of data to a normal sysfs
> file, so properly terminate the buffer.
> 
> Thanks to Al Viro for pointing out my stupidity here.
> 
> CVE-2006-1055 has been assigned for this.
> 
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> 
> ---
>  fs/sysfs/file.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- linux-2.6.16.1.orig/fs/sysfs/file.c
> +++ linux-2.6.16.1/fs/sysfs/file.c
> @@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * 
>  		return -ENOMEM;
>  
>  	if (count >= PAGE_SIZE)
> -		count = PAGE_SIZE;
> +		count = PAGE_SIZE - 1;
>  	error = copy_from_user(buffer->page,buf,count);
>  	buffer->needs_read_fill = 1;
>  	return error ? -EFAULT : count;

This will break the "color_map" sysfs file for framebuffers -
drivers/video/fbsysfs.c:store_cmap() expects to get exactly 4096 bytes
for a colormap with 256 entries.  In fact, the original patch which
changed PAGE_SIZE - 1 to PAGE_SIZE:

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9d9d27fb651a7c95a46f276bacb4329db47470a6

was done exactly for use with that "color_map" file.

This patch also does not completely guarantee that the buffer will be
null-terminated.  A program may first call read() on the sysfs file,
which will allocate buffer->page and invoke ->show to fill that page;
then subsequent write() on the same file will reuse buffer->page.  To
get really bad results, you need to have ->store which assumes
null-terminated buffer together with ->show which writes to the last
byte of the page (which is probably rare, but show_cmap() does exactly
that).

Attachment: pgphtp1pFFhYo.pgp
Description: PGP signature

---

• Follow-Ups:
  • Re: [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
    • From: "Jon Smirl" <[email protected]>
  • Re: [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
    • From: Al Viro <[email protected]>

• References:
  • [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
    • From: [email protected]

• Prev by Date: Re: Here is the tcp-zero-copy patch for kernel 2.6.12-6 .
• Next by Date: [PATCH] kexec: update MAINTAINERS
• Previous by thread: [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
• Next by thread: Re: [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]