From patchwork Wed Oct 27 22:12:35 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 69418 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3EEDAB70D4 for ; Thu, 28 Oct 2010 09:14:53 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754277Ab0J0WMt (ORCPT ); Wed, 27 Oct 2010 18:12:49 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:64210 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751031Ab0J0WMs (ORCPT ); Wed, 27 Oct 2010 18:12:48 -0400 Received: by wwe15 with SMTP id 15so1330790wwe.1 for ; Wed, 27 Oct 2010 15:12:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=TglG/RR15Lcs0yw4Ab5D4RYLqpSu0Q4uKSDhvkiq7Js=; b=spgltPlmD5/TAljuKHtKsrtw7H8J4p06K0BOCdFyQhbOPNjF/g6opxLSK75Bid6+yY Y4F2x4BQTUy4zFVCvDe8qkLr5ngiXvMLnrLz0ulsSN3p+1iuUOqEQZDnEYrLbR91Kd0S RC40L3kdUvLAbkTAhpdN5Wm2hvMgjjREtQXrs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:in-reply-to:user-agent; b=D6lhyxsKKvoZgkVHhH5rCkYyfhWImif0LCGXNxcd4ig7VZLAbUQPmfu/LdBUugvgNa YkZ/xsOt94+CXc74MpH5hX5NaLSzp593m2h7WswSheNx9QIsfeUND4wmwI860p1nAlDP /a5YpIYjUYaYQILCQKQqqLLOShNJ7I9s1x5RQ= Received: by 10.216.166.80 with SMTP id f58mr1467846wel.65.1288217566850; Wed, 27 Oct 2010 15:12:46 -0700 (PDT) Received: from bicker (h2df2.n1.ips.mtn.co.ug [41.210.173.242]) by mx.google.com with ESMTPS id l51sm217883wer.26.2010.10.27.15.12.41 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 27 Oct 2010 15:12:45 -0700 (PDT) Date: Thu, 28 Oct 2010 00:12:35 +0200 From: Dan Carpenter To: nelhage@ksplice.com Cc: Eric Dumazet , "David S. Miller" , Robert Olsson , Andy Shevchenko , netdev@vger.kernel.org Subject: [patch] fix stack overflow in pktgen_if_write() Message-ID: <20101027221234.GN6062@bicker> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1288206788-21063-1-git-send-email-nelhage@ksplice.com> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Nelson Elhage says he was able to oops both amd64 and i386 test machines with 8k writes to the pktgen file. Let's just allocate the buffer on the heap instead of on the stack. This can only be triggered by root so there are no security issues here. Reported-by: Nelson Elhage Signed-off-by: Dan Carpenter --- I saw this on twitter. Hi Nelson, could you test this? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 2c0df0f..b5d3c70 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -887,12 +887,14 @@ static ssize_t pktgen_if_write(struct file *file, i += len; if (debug) { - char tb[count + 1]; - if (copy_from_user(tb, user_buffer, count)) - return -EFAULT; - tb[count] = 0; + char *tb; + + tb = strndup_user(user_buffer, count + 1); + if (IS_ERR(tb)) + return PTR_ERR(tb); printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name, (unsigned long)count, tb); + kfree(tb); } if (!strcmp(name, "min_pkt_size")) {