x86, SGI UV: TLB shootdown using broadcast assist unit, v6

v6: 6/19 close the security hole in uv_ptc_proc_write()) > Found a potential security hole while doing that: > static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, > size_t count, loff_t *data) > if (copy_from_user(optstr, user, count)) > return -EFAULT; > > is count guaranteed to never be larger than 64? is fixed below. It adds tlb_uv.o to the Makefile. Signed-off-by: N Cliff Wickman <cpw@sgi.com> Cc: mingo@elte.hu Signed-off-by: N Ingo Molnar <mingo@elte.hu>

x86, SGI UV: TLB shootdown using broadcast assist unit, v6
v6: 6/19 close the security hole in uv_ptc_proc_write()) > Found a potential security hole while doing that: > static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, > size_t count, loff_t *data) > if (copy_from_user(optstr, user, count)) > return -EFAULT; > > is count guaranteed to never be larger than 64? is fixed below. It adds tlb_uv.o to the Makefile. Signed-off-by: N Cliff Wickman <cpw@sgi.com> Cc: mingo@elte.hu Signed-off-by: N Ingo Molnar <mingo@elte.hu>
cef53278 · Cliff Wickman · Ingo Molnar · ab9c0bb8 · cef53278
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

arch/x86/kernel/tlb_uv.c arch/x86/kernel/tlb_uv.c +2 -0

未找到文件。
--- a/arch/x86/kernel/tlb_uv.c
+++ b/arch/x86/kernel/tlb_uv.c
@@ -492,6 +492,8 @@ static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user,
 	long newmode;
 	char optstr[64];

+	if (count > 64)
+		return -EINVAL;
 	if (copy_from_user(optstr, user, count))
 		return -EFAULT;
 	optstr[count - 1] = '\0';