From: dann frazier Date: Tue, 6 Nov 2007 22:36:46 +0000 (-0700) Subject: [PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=996bad4803a2ebfebe7b27a431fbcae591f7d199;p=linux-kernel-docs%2Flinux-2.4.36.git [PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver CVE-2004-2731 describes two issues in the openprom driver. The first issue, an integer overflow in copyin_string(), appears to be fixed in 2.4. The second issue, an overflow in copyin(), is still present. A description of both issues is here: http://www.securityfocus.com/archive/1/367575 The user-provided 'bufsize' is checked for being too large, but is not checked for being negative. This patch avoids this situation by making bufsize unsigned. This change has been in 2.6 for a number of years now: http://linux.bkbits.net:8080/linux-2.6/?PAGE=patch&REV=3d686423le0SEotURGfYEbgMpPGKqw Signed-off-by: dann frazier --- diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c index 7f74f9f3..33e4ec7c 100644 --- a/drivers/sbus/char/openprom.c +++ b/drivers/sbus/char/openprom.c @@ -68,7 +68,7 @@ static int options_node = 0; */ static int copyin(struct openpromio *info, struct openpromio **opp_p) { - int bufsize; + unsigned int bufsize; if (!info || !opp_p) return -EFAULT;