From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: JosephChan@via.com.tw, linux-fbdev@vger.kernel.org,
linux-kernel@vger.kernel.org, security@kernel.org,
stable@kernel.org
Subject: Re: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized
Date: Wed, 15 Sep 2010 22:42:12 +0000 [thread overview]
Message-ID: <4C914BC4.8070809@gmx.de> (raw)
In-Reply-To: <1284587059.6275.101.camel@dan>
Hi,
Dan Rosenberg schrieb:
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 1968
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user. This patch takes care of
> it.
I am wondering about the number of bytes as sizeof(struct viafb_ioctl_info) =
256 so it should be a bit less. But that's just nitpicking, the issue is
certainly real. Your patch does the right thing but there is a bug in it:
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
> {
> struct viafb_ioctl_info viainfo;
>
> + memset(&viainfo, 0, sizeof(struct viafb_ioctl));
Shouldn't it be sizeof(struct viafb_ioctl_info) or sizeof(viainfo) ?
At least here it does not even compile otherwise....
Thanks,
Florian Tobias Schandinat
WARNING: multiple messages have this Message-ID (diff)
From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: JosephChan@via.com.tw, linux-fbdev@vger.kernel.org,
linux-kernel@vger.kernel.org, security@kernel.org,
stable@kernel.org
Subject: Re: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
Date: Thu, 16 Sep 2010 00:42:12 +0200 [thread overview]
Message-ID: <4C914BC4.8070809@gmx.de> (raw)
In-Reply-To: <1284587059.6275.101.camel@dan>
Hi,
Dan Rosenberg schrieb:
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 1968
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user. This patch takes care of
> it.
I am wondering about the number of bytes as sizeof(struct viafb_ioctl_info) =
256 so it should be a bit less. But that's just nitpicking, the issue is
certainly real. Your patch does the right thing but there is a bug in it:
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
> {
> struct viafb_ioctl_info viainfo;
>
> + memset(&viainfo, 0, sizeof(struct viafb_ioctl));
Shouldn't it be sizeof(struct viafb_ioctl_info) or sizeof(viainfo) ?
At least here it does not even compile otherwise....
Thanks,
Florian Tobias Schandinat
next prev parent reply other threads:[~2010-09-15 22:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-15 21:44 [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized Dan Rosenberg
2010-09-15 21:44 ` [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-15 22:42 ` Florian Tobias Schandinat [this message]
2010-09-15 22:42 ` Florian Tobias Schandinat
2010-09-16 16:07 ` [PATCH] drivers/video/via/ioctl.c: prevent reading Steven Rostedt
2010-09-16 16:07 ` [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C914BC4.8070809@gmx.de \
--to=florianschandinat@gmx.de \
--cc=JosephChan@via.com.tw \
--cc=drosenberg@vsecurity.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.