aboutsummaryrefslogtreecommitdiffstats
path: root/arch
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2012-10-25 13:38:14 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-10-31 09:51:33 -0700
commited12438d94ded9c028570776898418adbb497f58 (patch)
treece92a47d837a94a5f72f172ed75443772385f103 /arch
parentd9ee258b13506301b6da6450cf7a1692826b471e (diff)
downloadkernel_samsung_smdk4412-ed12438d94ded9c028570776898418adbb497f58.zip
kernel_samsung_smdk4412-ed12438d94ded9c028570776898418adbb497f58.tar.gz
kernel_samsung_smdk4412-ed12438d94ded9c028570776898418adbb497f58.tar.bz2
gen_init_cpio: avoid stack overflow when expanding
commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream. Fix possible overflow of the buffer used for expanding environment variables when building file list. In the extremely unlikely case of an attacker having control over the environment variables visible to gen_init_cpio, control over the contents of the file gen_init_cpio parses, and gen_init_cpio was built without compiler hardening, the attacker can gain arbitrary execution control via a stack buffer overflow. $ cat usr/crash.list file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list *** buffer overflow detected ***: ./usr/gen_init_cpio terminated This also replaces the space-indenting with tabs. Patch based on existing fix extracted from grsecurity. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Michal Marek <mmarek@suse.cz> Cc: Brad Spengler <spender@grsecurity.net> Cc: PaX Team <pageexec@freemail.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch')
0 files changed, 0 insertions, 0 deletions