releases/2.6.16.2/sysfs-off-by-one.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Tue Apr  9 12:12:43 2002
 Date: Fri, 31 Mar 2006 15:37:06 -0800
 From: Greg Kroah-Hartman <gregkh@suse.de>
 Subject: sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

 No one should be writing a PAGE_SIZE worth of data to a normal sysfs
 file, so properly terminate the buffer.

 Thanks to Al Viro for pointing out my stupidity here.

 CVE-2006-1055 has been assigned for this.

 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  fs/sysfs/file.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- linux-2.6.16.1.orig/fs/sysfs/file.c
 +++ linux-2.6.16.1/fs/sysfs/file.c
 @@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer *
  		return -ENOMEM;

  	if (count >= PAGE_SIZE)
 -		count = PAGE_SIZE;
 +		count = PAGE_SIZE - 1;
  	error = copy_from_user(buffer->page,buf,count);
  	buffer->needs_read_fill = 1;
  	return error ? -EFAULT : count;
	From foo@baz Tue Apr 9 12:12:43 2002
	Date: Fri, 31 Mar 2006 15:37:06 -0800
	From: Greg Kroah-Hartman <gregkh@suse.de>
	Subject: sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

	No one should be writing a PAGE_SIZE worth of data to a normal sysfs
	file, so properly terminate the buffer.

	Thanks to Al Viro for pointing out my stupidity here.

	CVE-2006-1055 has been assigned for this.

	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	fs/sysfs/file.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- linux-2.6.16.1.orig/fs/sysfs/file.c
	+++ linux-2.6.16.1/fs/sysfs/file.c
	@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer *
	return -ENOMEM;

	if (count >= PAGE_SIZE)
	- count = PAGE_SIZE;
	+ count = PAGE_SIZE - 1;
	error = copy_from_user(buffer->page,buf,count);
	buffer->needs_read_fill = 1;
	return error ? -EFAULT : count;