[CPUFREQ] Fix security hole in proc handler.

Brad Spengler <spender@grsecurity.net> found an exploitable bug in the proc handler
of cpufreq, where a user-supplied unsigned int is cast to a signed int and then
passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written
(root only thankfully), or read (as any user).

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0228 to this issue.

diff --git a/drivers/cpufreq/cpufreq_userspace.c b/drivers/cpufreq/cpufreq_userspace.c
index fb26de827f6082f9529484318dc6435074f5394c..99ac1419dc79c681d4ba2c4965432de9b181ef3c 100644 (file)
--- a/drivers/cpufreq/cpufreq_userspace.c
+++ b/drivers/cpufreq/cpufreq_userspace.c
@@ -168,7 +168,7 @@ cpufreq_procctl(ctl_table *ctl, int write, struct file *filp,
 {
        char buf[16], *p;
        int cpu = (long) ctl->extra1;
-       int len, left = *lenp;
+       unsigned int len, left = *lenp;
 
        if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
                *lenp = 0;