From: Cliff Wickman <cpw@sgi.com>
Date: Thu, 19 Jun 2008 16:16:24 +0000 (-0500)
Subject: x86, SGI UV: TLB shootdown using broadcast assist unit, v6
X-Git-Tag: v2.6.27-rc1~1106^2~244^2~1
X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=cef53278682eb2604cbd99de64cdb59a8b35235a;p=linux-2.6-omap-h63xx.git

x86, SGI UV: TLB shootdown using broadcast assist unit, v6

v6: 6/19 close the security hole in uv_ptc_proc_write())

  > Found a potential security hole while doing that:
  > static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user,
  >                              size_t count, loff_t *data)
  >     if (copy_from_user(optstr, user, count))
  >             return -EFAULT;
  >
  > is count guaranteed to never be larger than 64?

is fixed below.

It adds tlb_uv.o to the Makefile.

Signed-off-by: Cliff Wickman <cpw@sgi.com>
Cc: mingo@elte.hu
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---

diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c
index b362913f019..c503b7f0448 100644
--- a/arch/x86/kernel/tlb_uv.c
+++ b/arch/x86/kernel/tlb_uv.c
@@ -492,6 +492,8 @@ static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user,
 	long newmode;
 	char optstr[64];
 
+	if (count > 64)
+		return -EINVAL;
 	if (copy_from_user(optstr, user, count))
 		return -EFAULT;
 	optstr[count - 1] = '\0';