* [PATCH v2] drivers/video/via/ioctl.c: prevent reading
@ 2010-09-15 23:08 ` Dan Rosenberg
0 siblings, 0 replies; 4+ messages in thread
From: Dan Rosenberg @ 2010-09-15 23:08 UTC (permalink / raw)
To: JosephChan, ScottFang, FlorianSchandinat
Cc: linux-fbdev, linux-kernel, security, stable
Disregard previous version, which had a typo and wouldn't compile.
Also, math is fun: the ioctl allows reading of 1968 BITS = 246 bytes,
not 1968 bytes as previously reported.
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user. This patch takes care of
it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
--- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
{
struct viafb_ioctl_info viainfo;
+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
+
viainfo.viafb_id = VIAID;
viainfo.vendor_id = PCI_VIA_VENDOR_ID;
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
@ 2010-09-15 23:08 ` Dan Rosenberg
0 siblings, 0 replies; 4+ messages in thread
From: Dan Rosenberg @ 2010-09-15 23:08 UTC (permalink / raw)
To: JosephChan, ScottFang, FlorianSchandinat
Cc: linux-fbdev, linux-kernel, security, stable
Disregard previous version, which had a typo and wouldn't compile.
Also, math is fun: the ioctl allows reading of 1968 BITS = 246 bytes,
not 1968 bytes as previously reported.
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user. This patch takes care of
it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
--- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
{
struct viafb_ioctl_info viainfo;
+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
+
viainfo.viafb_id = VIAID;
viainfo.vendor_id = PCI_VIA_VENDOR_ID;
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized
2010-09-15 23:08 ` [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory Dan Rosenberg
@ 2010-09-15 23:45 ` Florian Tobias Schandinat
-1 siblings, 0 replies; 4+ messages in thread
From: Florian Tobias Schandinat @ 2010-09-15 23:45 UTC (permalink / raw)
To: Dan Rosenberg
Cc: JosephChan, ScottFang, linux-fbdev, linux-kernel, security,
stable
Dan Rosenberg schrieb:
> Disregard previous version, which had a typo and wouldn't compile.
> Also, math is fun: the ioctl allows reading of 1968 BITS = 246 bytes,
> not 1968 bytes as previously reported.
Thanks, I will take care of getting it in mainline as soon as possible,
Florian Tobias Schandinat
>
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user. This patch takes care of
> it.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
> {
> struct viafb_ioctl_info viainfo;
>
> + memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
> +
> viainfo.viafb_id = VIAID;
> viainfo.vendor_id = PCI_VIA_VENDOR_ID;
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
@ 2010-09-15 23:45 ` Florian Tobias Schandinat
0 siblings, 0 replies; 4+ messages in thread
From: Florian Tobias Schandinat @ 2010-09-15 23:45 UTC (permalink / raw)
To: Dan Rosenberg
Cc: JosephChan, ScottFang, linux-fbdev, linux-kernel, security,
stable
Dan Rosenberg schrieb:
> Disregard previous version, which had a typo and wouldn't compile.
> Also, math is fun: the ioctl allows reading of 1968 BITS = 246 bytes,
> not 1968 bytes as previously reported.
Thanks, I will take care of getting it in mainline as soon as possible,
Florian Tobias Schandinat
>
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user. This patch takes care of
> it.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
> {
> struct viafb_ioctl_info viainfo;
>
> + memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
> +
> viainfo.viafb_id = VIAID;
> viainfo.vendor_id = PCI_VIA_VENDOR_ID;
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-09-15 23:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-15 23:08 [PATCH v2] drivers/video/via/ioctl.c: prevent reading Dan Rosenberg
2010-09-15 23:08 ` [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-15 23:45 ` [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized Florian Tobias Schandinat
2010-09-15 23:45 ` [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory Florian Tobias Schandinat
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.