x86, SGI UV: TLB shootdown using broadcast assist unit, v6 v6: 6/19 close the security hole in uv_ptc_proc_write()) > Found a potential security hole while doing that: > static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, > size_t count, loff_t *data) > if (copy_from_user(optstr, user, count)) > return -EFAULT; > > is count guaranteed to never be larger than 64? is fixed below. It adds tlb_uv.o to the Makefile. Signed-off-by: Cliff Wickman <cpw@sgi.com> Cc: mingo@elte.hu Signed-off-by: Ingo Molnar <mingo@elte.hu>

commit: cef53278682eb2604cbd99de64cdb59a8b35235a [log] [tgz]
author: Cliff Wickman <cpw@sgi.com> Thu Jun 19 11:16:24 2008 -0500
committer: Ingo Molnar <mingo@elte.hu> Tue Jul 08 12:23:30 2008 +0200
tree: b57124c7b03d7ac92ada52d5a783c4e0d8edcc8d
parent: ab9c0bb8a8c1d71dd303abdaa61ec496128e2fbe [diff]
diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c
index b362913..c503b7f 100644
--- a/arch/x86/kernel/tlb_uv.c
+++ b/arch/x86/kernel/tlb_uv.c

@@ -492,6 +492,8 @@
 	long newmode;
 	char optstr[64];
 
+	if (count > 64)
+		return -EINVAL;
 	if (copy_from_user(optstr, user, count))
 		return -EFAULT;
 	optstr[count - 1] = '\0';
commit	cef53278682eb2604cbd99de64cdb59a8b35235a	[log] [tgz]
author	Cliff Wickman <cpw@sgi.com>	Thu Jun 19 11:16:24 2008 -0500
committer	Ingo Molnar <mingo@elte.hu>	Tue Jul 08 12:23:30 2008 +0200
tree	b57124c7b03d7ac92ada52d5a783c4e0d8edcc8d
parent	ab9c0bb8a8c1d71dd303abdaa61ec496128e2fbe [diff]