[PATCH] RTAS syscall NULL ptr deref (2.6)
John Rose
johnrose at austin.ibm.com
Fri Feb 27 11:22:36 EST 2004
The patch below fixes a NULL ptr deref in the RTAS syscall on 2.6. I
pushed it already, but send comments if you want :)
Thanks-
John
diff -Nru a/arch/ppc64/kernel/rtas.c b/arch/ppc64/kernel/rtas.c
--- a/arch/ppc64/kernel/rtas.c Thu Feb 26 16:30:25 2004
+++ b/arch/ppc64/kernel/rtas.c Thu Feb 26 16:30:25 2004
@@ -426,6 +426,7 @@
{
struct rtas_args args;
unsigned long flags;
+ int nargs;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
@@ -433,14 +434,15 @@
if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0)
return -EFAULT;
- if (args.nargs > ARRAY_SIZE(args.args)
+ nargs = args.nargs;
+ if (nargs > ARRAY_SIZE(args.args)
|| args.nret > ARRAY_SIZE(args.args)
- || args.nargs + args.nret > ARRAY_SIZE(args.args))
+ || nargs + args.nret > ARRAY_SIZE(args.args))
return -EINVAL;
/* Copy in args. */
if (copy_from_user(args.args, uargs->args,
- args.nargs * sizeof(rtas_arg_t)) != 0)
+ nargs * sizeof(rtas_arg_t)) != 0)
return -EFAULT;
spin_lock_irqsave(&rtas.lock, flags);
@@ -449,14 +451,15 @@
enter_rtas((void *)__pa((unsigned long)&get_paca()->xRtas));
args = get_paca()->xRtas;
+ args.rets = (rtas_arg_t *)&(args.args[nargs]);
if (args.rets[0] == -1)
log_rtas_error(&args);
spin_unlock_irqrestore(&rtas.lock, flags);
/* Copy out args. */
- if (copy_to_user(uargs->args + args.nargs,
- args.args + args.nargs,
+ if (copy_to_user(uargs->args + nargs,
+ args.args + nargs,
args.nret * sizeof(rtas_arg_t)) != 0)
return -EFAULT;
** Sent via the linuxppc64-dev mail list. See http://lists.linuxppc.org/
More information about the Linuxppc64-dev
mailing list