From: walter harms <wharms@bfs.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>,
Antti Palosaari <crope@iki.fi>,
Nickolai Zeldovich <nickolai@csail.mit.edu>,
Peter Senna Tschudin <peter.senna@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()
Date: Thu, 25 Jul 2013 17:29:09 +0000 [thread overview]
Message-ID: <51F16065.40804@bfs.de> (raw)
In-Reply-To: <20130725164621.GA6945@elgon.mountain>
Am 25.07.2013 18:46, schrieb Dan Carpenter:
> p_ca_slot_info was allocated with kmalloc() so we need to clear it
> before passing it to the user.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
> index 0e788fc..6b9dc3f 100644
> --- a/drivers/media/pci/bt8xx/dst_ca.c
> +++ b/drivers/media/pci/bt8xx/dst_ca.c
> @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s
> p_ca_slot_info->flags = CA_CI_MODULE_READY;
> p_ca_slot_info->num = 1;
> p_ca_slot_info->type = CA_CI;
> - } else
> + } else {
> p_ca_slot_info->flags = 0;
> + p_ca_slot_info->num = 0;
> + p_ca_slot_info->type = 0;
> + }
>
> if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info)))
> return -EFAULT;
note: i have no clue how p_ca_slot_info looks like,
but to avoid information leaks via compiler padding etc. i could be more wise
to do a memset(p_ca_slot_info,0,sizeof (struct ca_slot_info))
and then set the
p_ca_slot_info->flags = CA_CI_MODULE_READY;
p_ca_slot_info->num = 1;
p_ca_slot_info->type = CA_CI;
just my 2 cents,
re,
wh
WARNING: multiple messages have this Message-ID (diff)
From: walter harms <wharms@bfs.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>,
Antti Palosaari <crope@iki.fi>,
Nickolai Zeldovich <nickolai@csail.mit.edu>,
Peter Senna Tschudin <peter.senna@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()
Date: Thu, 25 Jul 2013 19:29:09 +0200 [thread overview]
Message-ID: <51F16065.40804@bfs.de> (raw)
In-Reply-To: <20130725164621.GA6945@elgon.mountain>
Am 25.07.2013 18:46, schrieb Dan Carpenter:
> p_ca_slot_info was allocated with kmalloc() so we need to clear it
> before passing it to the user.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
> index 0e788fc..6b9dc3f 100644
> --- a/drivers/media/pci/bt8xx/dst_ca.c
> +++ b/drivers/media/pci/bt8xx/dst_ca.c
> @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s
> p_ca_slot_info->flags = CA_CI_MODULE_READY;
> p_ca_slot_info->num = 1;
> p_ca_slot_info->type = CA_CI;
> - } else
> + } else {
> p_ca_slot_info->flags = 0;
> + p_ca_slot_info->num = 0;
> + p_ca_slot_info->type = 0;
> + }
>
> if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info)))
> return -EFAULT;
note: i have no clue how p_ca_slot_info looks like,
but to avoid information leaks via compiler padding etc. i could be more wise
to do a memset(p_ca_slot_info,0,sizeof (struct ca_slot_info))
and then set the
p_ca_slot_info->flags = CA_CI_MODULE_READY;
p_ca_slot_info->num = 1;
p_ca_slot_info->type = CA_CI;
just my 2 cents,
re,
wh
next prev parent reply other threads:[~2013-07-25 17:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-25 16:46 [patch] [media] bt8xx: info leak in ca_get_slot_info() Dan Carpenter
2013-07-25 16:46 ` Dan Carpenter
2013-07-25 17:29 ` walter harms [this message]
2013-07-25 17:29 ` walter harms
2013-07-25 17:38 ` Dan Carpenter
2013-07-25 17:38 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51F16065.40804@bfs.de \
--to=wharms@bfs.de \
--cc=andriy.shevchenko@linux.intel.com \
--cc=crope@iki.fi \
--cc=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=m.chehab@samsung.com \
--cc=nickolai@csail.mit.edu \
--cc=peter.senna@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.