-
Miao Xie authored
I found that there is a buffer overflow problem in the following code. Version: 2.6.24-rc2, File: kernel/time/clocksource.c:417-432 -------------------------------------------------------------------- static ssize_t sysfs_show_available_clocksources(struct sys_device *dev, char *buf) { struct clocksource *src; char *curr = buf; spin_lock_irq(&clocksource_lock); list_for_each_entry(src, &clocksource_list, list) { curr += sprintf(curr, "%s ", src->name); } spin_unlock_irq(&clocksource_lock); curr += sprintf(curr, "\n"); return curr - buf; } ----------------------------------------------------------------------- sysfs_show_current_clocksources() also has the same problem though in practice the size of current clocksource's name won't exceed PAGE_SIZE. I fix the bug by using snprintf according to the specification of the kernel (Version:2.6.24-rc2,File:Documentation/filesystems/sysfs.txt) Fix sysfs_show_available_clocksources() and sysfs_show_current_clocksources() buffer overflow problem with snprintf(). Signed-off-by:Miao Xie <miaox@cn.fujitsu.com> Cc: WANG Cong <xiyou.wangcong@gmail.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: john stultz <johnstul@us.ibm.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
5e2cb101
