From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 31 Mar 2006 23:37:06 +0000 (-0800)
Subject: [PATCH] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)
X-Git-Tag: v2.6.16.2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a80b29d91bc7a598a7d65b2500493a9fc3cb322;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] sysfs: zero terminate sysfs write buffers (CVE-2006-1055)

No one should be writing a PAGE_SIZE worth of data to a normal sysfs
file, so properly terminate the buffer.

Thanks to Al Viro for pointing out my stupidity here.

CVE-2006-1055 has been assigned for this.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
index d0e3d84951652..2ecc58cc368a1 100644
--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -183,7 +183,7 @@ fill_write_buffer(struct sysfs_buffer * buffer, const char __user * buf, size_t
 		return -ENOMEM;
 
 	if (count >= PAGE_SIZE)
-		count = PAGE_SIZE;
+		count = PAGE_SIZE - 1;
 	error = copy_from_user(buffer->page,buf,count);
 	buffer->needs_read_fill = 1;
 	return error ? -EFAULT : count;