From: Don Howard <dhoward@redhat.com> Subject: buffer overflow in omnikey cardman driver Date: Wed, 14 Feb 2007 16:30:37 -0800 (PST) Bugzilla: 227478 Message-Id: <Pine.LNX.4.64.0702131215340.5706@sugarmagnolia.remotee.org> Changelog: [pcmcia] buffer overflow in omnikey cardman driver >From Daniel Roethlisberger: "While using the Linux drivers for the CM4040 as a reference for writing a cmx FreeBSD driver I found two buffer overflows in the Linux drivers, one in the write() and one in the read() handler. When calling write() with a buffer larger than 512 bytes, the driver's write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges. In read(), we have a similar problem, but coming from the device. A malicous or buggy device sending more than 512 bytes can overflow of the driver's read buffer, with the same effects as above." Patch updated to return -EINVAL for too large/small write requests. --- linux-2.6.18.noarch/drivers/char/pcmcia/cm4040_cs.c.orig 2007-02-14 19:56:00.000000000 -0800 +++ linux-2.6.18.noarch/drivers/char/pcmcia/cm4040_cs.c 2007-02-14 20:00:14.000000000 -0800 @@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file * DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read); min_bytes_to_read = min(count, bytes_to_read + 5); + min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE); DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read); @@ -340,9 +341,9 @@ static ssize_t cm4040_write(struct file return 0; } - if (count < 5) { + if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) { DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count); - return -EIO; + return -EINVAL; } if (filp->f_flags & O_NONBLOCK) {