* A stack overflow found in flags_write()
@ 2021-12-27 11:59 张子勋(Zhang Zixun)
0 siblings, 0 replies; only message in thread
From: 张子勋(Zhang Zixun) @ 2021-12-27 11:59 UTC (permalink / raw)
To: tony.luck, bp; +Cc: linux-edac, linux-kernel
[-- Attachment #1.1: Type: text/plain, Size: 1019 bytes --]
Hi,
I find a problem in flags_write() in arch/x86/kernel/cpu/mce/inject.c. There is a parameter cnt in this function and it used in compute write size by "buf[cnt - 1] = 0". If cnt == 0, buf[cnt - 1] will change buf[-1] and occur overflow. This problem can be fixed by patch I provided.
Thanks
________________________________
OPPO
本电子邮件及其附件含有OPPO公司的保密信息,仅限于邮件指明的收件人使用(包含个人及群组)。禁止任何人在未经授权的情况下以任何形式使用。如果您错收了本邮件,请立即以电子邮件通知发件人并删除本邮件及其附件。
This e-mail and its attachments contain confidential information from OPPO, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
[-- Attachment #1.2: Type: text/html, Size: 5547 bytes --]
[-- Attachment #2: 0001-Fix-flags_write-overflow.-If-cnt-0-buf-cnt-1-will-ch.patch --]
[-- Type: application/octet-stream, Size: 833 bytes --]
From a892bf2c02535471e079685250349e7c58d54a70 Mon Sep 17 00:00:00 2001
From: starry <zhang133010@icloud.com>
Date: Mon, 27 Dec 2021 19:34:18 +0800
Subject: [PATCH] Fix flags_write() overflow. If cnt == 0, buf[cnt - 1] will
change buf[-1] and occur problem.
---
arch/x86/kernel/cpu/mce/inject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/mce/inject.c b/arch/x86/kernel/cpu/mce/inject.c
index 0bfc14041bbb..07de30b8a127 100644
--- a/arch/x86/kernel/cpu/mce/inject.c
+++ b/arch/x86/kernel/cpu/mce/inject.c
@@ -350,7 +350,7 @@ static ssize_t flags_write(struct file *filp, const char __user *ubuf,
char buf[MAX_FLAG_OPT_SIZE], *__buf;
int err;
- if (cnt > MAX_FLAG_OPT_SIZE)
+ if (cnt > MAX_FLAG_OPT_SIZE || !cnt)
return -EINVAL;
if (copy_from_user(&buf, ubuf, cnt))
--
2.33.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-12-28 15:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-27 11:59 A stack overflow found in flags_write() 张子勋(Zhang Zixun)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).