Linux kernel SGI GRU Driver Off-by-One Overwrite
This bug was reported by Michael Buesch. You can find the vulnerable code at drivers/misc/sgi-gru/gruprocfs.c and specifically, here is that code from 2.6.30 release of the Linux kernel.
static ssize_t options_write(struct file *file, const char __user *userbuf,
size_t count, loff_t *data)
unsigned long val;
(buf, userbuf, count < sizeof(buf) ? count : sizeof(buf))) return -EFAULT; buf[count - 1] = ''; if (!strict_strtoul(buf, 10, &val)) gru_options = val; return count; } [/sourcecode] This function is used to handle write operations to the equivalent procfs file. As you can see, it invokes copy_from_user() using user controlled 'count' only if this is less than sizeof(buf), that is 80 according to the previous allocation. However, the NULL termination does not perform the same check and directly uses the user controlled 'count' minus one. Because of this, a user with +w access to that procfs file can write a NULL byte to arbitrary locations in kernel memory. The patch is: [sourcecode language="c"] + memset(buf, 0, sizeof(buf)); if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0) return -EFAULT; - buf[count - 1] = ''; if (!strict_strtoul(buf, 10, &val)) [/sourcecode] Which initializes the whole 'buf' to zero, thus no need for NULL termination and removes the buggy code.