From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.de>,
Eliot Blennerhassett <eliot@blennerhassett.gen.nz>,
alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org
Subject: [patch] ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl()
Date: Mon, 22 Dec 2014 10:49:46 +0300 [thread overview]
Message-ID: <20141222074946.GA9737@mwanda> (raw)
So far as I can see "hr->h.size" is set to "res_max_size" which is a
user controlled value between 12 and USHRT_MAX. If it's larger than
sizeof(*hr), then that leads to an information leak.
I am not very familiar with this code, my other question here is that
on lines before we set "hr->h.size = sizeof(hr->h)". It think this is
a bug. I also think this particular code is never executed and I added
a comment to that effect. But we do it in earlier in the function as
well:
copy_to_user(puhr, hr, sizeof(hr->h));
It doesn't make sense to me.
Anyway, I think my patch is safe and it seems to fix a real information
leak.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 6aa677e..f88109a 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -283,6 +283,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
goto out;
}
+ /* FIXME: isn't this a no-op? */
if (hr->h.size > res_max_size) {
HPI_DEBUG_LOG(ERROR, "response too big %d %d\n", hr->h.size,
res_max_size);
@@ -290,6 +291,9 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
hr->h.specific_error = hr->h.size;
hr->h.size = sizeof(hr->h);
}
+ /* prevent an information leak */
+ if (hr->h.size > sizeof(*hr))
+ hr->h.size = sizeof(*hr);
uncopied_bytes = copy_to_user(puhr, hr, hr->h.size);
if (uncopied_bytes) {
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.de>,
Eliot Blennerhassett <eliot@blennerhassett.gen.nz>,
alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org
Subject: [patch] ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl()
Date: Mon, 22 Dec 2014 07:49:46 +0000 [thread overview]
Message-ID: <20141222074946.GA9737@mwanda> (raw)
So far as I can see "hr->h.size" is set to "res_max_size" which is a
user controlled value between 12 and USHRT_MAX. If it's larger than
sizeof(*hr), then that leads to an information leak.
I am not very familiar with this code, my other question here is that
on lines before we set "hr->h.size = sizeof(hr->h)". It think this is
a bug. I also think this particular code is never executed and I added
a comment to that effect. But we do it in earlier in the function as
well:
copy_to_user(puhr, hr, sizeof(hr->h));
It doesn't make sense to me.
Anyway, I think my patch is safe and it seems to fix a real information
leak.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 6aa677e..f88109a 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -283,6 +283,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
goto out;
}
+ /* FIXME: isn't this a no-op? */
if (hr->h.size > res_max_size) {
HPI_DEBUG_LOG(ERROR, "response too big %d %d\n", hr->h.size,
res_max_size);
@@ -290,6 +291,9 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
hr->h.specific_error = hr->h.size;
hr->h.size = sizeof(hr->h);
}
+ /* prevent an information leak */
+ if (hr->h.size > sizeof(*hr))
+ hr->h.size = sizeof(*hr);
uncopied_bytes = copy_to_user(puhr, hr, hr->h.size);
if (uncopied_bytes) {
next reply other threads:[~2014-12-22 7:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-22 7:49 Dan Carpenter [this message]
2014-12-22 7:49 ` [patch] ALSA: asihpi: fix an information leak in asihpi_hpi_ioctl() Dan Carpenter
2014-12-26 11:07 ` Takashi Iwai
2014-12-26 11:07 ` Takashi Iwai
2014-12-30 8:07 ` Eliot Blennerhassett
2014-12-30 8:07 ` Eliot Blennerhassett
2014-12-31 6:26 ` Eliot Blennerhassett
2014-12-31 6:26 ` Eliot Blennerhassett
2014-12-31 8:40 ` Takashi Iwai
2014-12-31 8:40 ` Takashi Iwai
[not found] ` <54A3D480.8050104@blennerhassett.gen.nz>
2014-12-31 13:17 ` [patch v2] " Takashi Iwai
2015-01-05 9:33 ` [patch] " Dan Carpenter
2015-01-05 9:33 ` Dan Carpenter
2015-01-05 9:34 ` Takashi Iwai
2015-01-05 9:34 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141222074946.GA9737@mwanda \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=eliot@blennerhassett.gen.nz \
--cc=kernel-janitors@vger.kernel.org \
--cc=perex@perex.cz \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.