Re: kernel: [PARISC] led.c - fix potential stack overflow in led_proc_write()

[Ben Hutchings <ben () decadent org uk>]

On Sat, 2010-08-14 at 09:00 +0800, Eugene Teo wrote:
> On 08/14/2010 08:54 AM, dann frazier wrote:
> > On Tue, Aug 03, 2010 at 01:51:15AM -0400, Moritz Muehlenhoff wrote:
> > > On Tue, Aug 03, 2010 at 11:46:58AM +0800, Eugene Teo wrote:
> > > > Ilja reported way back in Nov 2007. A writer to /proc/pdc/led(?) can
> > > > cause the kernel to consume an unbounded amount of stack, and result
> > > > in stack corruption.
> > > >
> > > > http://www.spinics.net/lists/linux-parisc/msg02960.html
> > > >
> > > > If you need a CVE name, change the subject to indicate that. We are
> > > > not requesting one as we do not support the PA-RISC architecture in
> > > > our distribution.
> > >
> > > Debian supports hppa.
> > >
> > > Steven, please assign a CVE ID.
> >
> > Ben Hutchings pointed out that this file is only writeable by root -
> > can it therefore be considered a security issue?
>
>  From the bug report:
> "the problem being that the stack is limited and count is not (except 
> for the MAX_INT check done in sys_write() I guess). this could lead to 
> stack corruption (when for example calling capable())."

But the file permissions are checked even before the function is called,
are they not?

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Attachment: signature.asc
Description: This is a digitally signed message part