From patchwork Wed Oct 27 22:43:02 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 69419 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 256FAB70D1 for ; Thu, 28 Oct 2010 09:43:21 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757478Ab0J0WnQ (ORCPT ); Wed, 27 Oct 2010 18:43:16 -0400 Received: from mail-wy0-f174.google.com ([74.125.82.174]:41167 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755330Ab0J0WnQ (ORCPT ); Wed, 27 Oct 2010 18:43:16 -0400 Received: by wyf28 with SMTP id 28so1251448wyf.19 for ; Wed, 27 Oct 2010 15:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=8kJkWKAPpNHE82cuCPVXgN7PrwQPVXQw6vlGI+iikfc=; b=CZwefbrSLNzz4yXpHCufPUv/GUxyb/jxA86NXPjXtf0pu1WGbAbcK+iom8JkD49urx 34AM9/feS2nJN8/0h6+QWr753tt/xfOh7pFbnxvFAO5owwuBJ925Q/aiBe9cm8ppWRYh ksbQ+or3RvnZPZU3tYXE3dltNw+TqG6SNx4E0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=x25faISSXZcMB/OK4tztiI5Ld9debSgPDfcW7lQz8Mpf/JV5Bt762bsW4ry805S6vC ofV76l76zJCYoaTgmIJjIuAADZ5wjCWI0yD30rt1Wv3cPi3UemD0F08u0cXRHJbNqYdU McZM1H4TA9m8T7SvcT0CXTyGgNvuOkQtMa18k= Received: by 10.216.11.202 with SMTP id 52mr9744954wex.28.1288219394435; Wed, 27 Oct 2010 15:43:14 -0700 (PDT) Received: from bicker (h2df2.n1.ips.mtn.co.ug [41.210.173.242]) by mx.google.com with ESMTPS id x12sm236218weq.18.2010.10.27.15.43.09 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 27 Oct 2010 15:43:12 -0700 (PDT) Date: Thu, 28 Oct 2010 00:43:02 +0200 From: Dan Carpenter To: nelhage@ksplice.com Cc: Eric Dumazet , "David S. Miller" , Robert Olsson , Andy Shevchenko , netdev@vger.kernel.org Subject: [patch v2] fix stack overflow in pktgen_if_write() Message-ID: <20101027224302.GQ6062@bicker> References: <1288206788-21063-1-git-send-email-nelhage@ksplice.com> <20101027221234.GN6062@bicker> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20101027221234.GN6062@bicker> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Nelson Elhage says he was able to oops both amd64 and i386 test machines with 8k writes to the pktgen file. Let's just allocate the buffer on the heap instead of on the stack. This can only be triggered by root so there are no security issues here. Reported-by: Nelson Elhage Signed-off-by: Dan Carpenter --- I saw this on twitter. Hi Nelson, could you test this? V2: strndup_user() => memdup_user() -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 2c0df0f..b5d3c70 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -887,12 +887,14 @@ static ssize_t pktgen_if_write(struct file *file, i += len; if (debug) { - char tb[count + 1]; - if (copy_from_user(tb, user_buffer, count)) - return -EFAULT; - tb[count] = 0; + char *tb; + + tb = memdup_user(user_buffer, count + 1); + if (IS_ERR(tb)) + return PTR_ERR(tb); printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name, (unsigned long)count, tb); + kfree(tb); } if (!strcmp(name, "min_pkt_size")) {