From: Richard Weinberger <richard@nod.at>
Date: Wed, 20 Mar 2013 11:06:59 +0000 (+0100)
Subject: [IA64] Fix stack overflow in create_palinfo_proc_entries
X-Git-Tag: next-20130322~100^2~1
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=40c275bd92b8a7546205a1adbbca4909dfc865e7;p=karo-tx-linux.git

[IA64] Fix stack overflow in create_palinfo_proc_entries

Having more than 99 CPUs causes an overflow of cpustr.
If an attacker is able to control the number CPUs he might able to inject code
...kind of. ;-)

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Tony Luck <tony.luck@intel.com>
---

diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
index 77597e5ea60a..35bee152e158 100644
--- a/arch/ia64/kernel/palinfo.c
+++ b/arch/ia64/kernel/palinfo.c
@@ -971,20 +971,18 @@ palinfo_read_entry(char *page, char **start, off_t off, int count, int *eof, voi
 static void __cpuinit
 create_palinfo_proc_entries(unsigned int cpu)
 {
-#	define CPUSTR	"cpu%d"
-
 	pal_func_cpu_u_t f;
 	struct proc_dir_entry **pdir;
 	struct proc_dir_entry *cpu_dir;
 	int j;
-	char cpustr[sizeof(CPUSTR)];
+	char cpustr[32];
 
 
 	/*
 	 * we keep track of created entries in a depth-first order for
 	 * cleanup purposes. Each entry is stored into palinfo_proc_entries
 	 */
-	sprintf(cpustr,CPUSTR, cpu);
+	snprintf(cpustr, sizeof(cpustr), "cpu%d", cpu);
 
 	cpu_dir = proc_mkdir(cpustr, palinfo_dir);