From: Tobias Stoeckmann Date: Sun, 26 Oct 2014 17:41:24 +0000 (+0100) Subject: lscpu: theoretical buffer overflow X-Git-Tag: v2.26-rc1~213 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cbf75e56ef70f2213ae0c7f025289a176ed5039;p=thirdparty%2Futil-linux.git lscpu: theoretical buffer overflow there is a theoretical buffer overflow possible in the hypervisor parsing code of lscpu. It would require a proc entry to return way more than expected so it's no high priority. But better be safe than sorry. At first I thought about switching to fgets but there is another code file that adds a format specifier. The diff is less intrusive that way, too. Signed-off-by: Karel Zak --- diff --git a/sys-utils/lscpu.c b/sys-utils/lscpu.c index ef59410883..c272dc238a 100644 --- a/sys-utils/lscpu.c +++ b/sys-utils/lscpu.c @@ -621,7 +621,7 @@ read_hypervisor_powerpc(struct lscpu_desc *desc) fd = path_fopen("r", 0, _PATH_PROC_DEVICETREE "/ibm,partition-name"); if (fd) { char buf[256]; - if (fscanf(fd, "%s", buf) == 1 && !strcmp(buf, "full")) + if (fscanf(fd, "%255s", buf) == 1 && !strcmp(buf, "full")) desc->virtype = VIRT_NONE; fclose(fd); } @@ -757,7 +757,7 @@ read_hypervisor(struct lscpu_desc *desc, struct lscpu_modifier *mod) if (fd) { char buf[256]; - if (fscanf(fd, "%s", buf) == 1 && + if (fscanf(fd, "%255s", buf) == 1 && !strcmp(buf, "control_d")) dom0 = 1; fclose(fd);