Re: kernel: [PARISC] led.c - fix potential stack overflow in led_proc_write()

[Eugene Teo <eugene () redhat com>]

On 08/14/2010 08:54 AM, dann frazier wrote:
> On Tue, Aug 03, 2010 at 01:51:15AM -0400, Moritz Muehlenhoff wrote:
> > On Tue, Aug 03, 2010 at 11:46:58AM +0800, Eugene Teo wrote:
> > > Ilja reported way back in Nov 2007. A writer to /proc/pdc/led(?) can
> > > cause the kernel to consume an unbounded amount of stack, and result
> > > in stack corruption.
> > >
> > > http://www.spinics.net/lists/linux-parisc/msg02960.html
> > >
> > > If you need a CVE name, change the subject to indicate that. We are
> > > not requesting one as we do not support the PA-RISC architecture in
> > > our distribution.
> >
> > Debian supports hppa.
> >
> > Steven, please assign a CVE ID.
>
> Ben Hutchings pointed out that this file is only writeable by root -
> can it therefore be considered a security issue?

From the bug report:
"the problem being that the stack is limited and count is not (except 
for the MAX_INT check done in sys_write() I guess). this could lead to 
stack corruption (when for example calling capable())."

Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }