[CPUFREQ] Fix security hole in proc handler.

Brad Spengler <spender@grsecurity.net> found an exploitable bug in the proc handler of cpufreq, where a user-supplied unsigned int is cast to a signed int and then passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written (root only thankfully), or read (as any user). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0228 to this issue.

[CPUFREQ] Fix security hole in proc handler.
Brad Spengler <spender@grsecurity.net> found an exploitable bug in the proc handler of cpufreq, where a user-supplied unsigned int is cast to a signed int and then passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written (root only thankfully), or read (as any user). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0228 to this issue.
ad4c196a · Dave Jones · Dave Jones · 160df0e8 · ad4c196a
Commit ad4c196a authored Apr 21, 2004 by Dave Jones Committed by Dave Jones Apr 21, 2004
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/cpufreq/cpufreq_userspace.c drivers/cpufreq/cpufreq_userspace.c +1 -1

No files found.
--- a/drivers/cpufreq/cpufreq_userspace.c
+++ b/drivers/cpufreq/cpufreq_userspace.c
@@ -168,7 +168,7 @@ cpufreq_procctl(ctl_table *ctl, int write, struct file *filp,
 {
 	char buf[16], *p;
 	int cpu = (long) ctl->extra1;
-	int len, left = *lenp;
+	unsigned int len, left = *lenp;
 	if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
 		*lenp = 0;