Commit ad4c196a authored by Dave Jones's avatar Dave Jones Committed by Dave Jones

[CPUFREQ] Fix security hole in proc handler.

Brad Spengler <spender@grsecurity.net> found an exploitable bug in the proc handler
of cpufreq, where a user-supplied unsigned int is cast to a signed int and then
passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written
(root only thankfully), or read (as any user).

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0228 to this issue.
parent 160df0e8
......@@ -168,7 +168,7 @@ cpufreq_procctl(ctl_table *ctl, int write, struct file *filp,
{
char buf[16], *p;
int cpu = (long) ctl->extra1;
int len, left = *lenp;
unsigned int len, left = *lenp;
if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
*lenp = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment