[PATCH 1/8] staging: dream: fix information leak to userland

[PATCH 1/8] staging: dream: fix information leak to userland

[Vasiliy Kulikov]

Structure msm_audio_stats is copied to userland with some fields unitialized.
It leads to leaking of contents of kernel stack memory.
Also struct msm_audio_config has field "unused" of type array of 3 elements,
not 4.  Instead of this, initialize field "type".

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
---
 drivers/staging/dream/qdsp5/audio_aac.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/dream/qdsp5/audio_aac.c b/drivers/staging/dream/qdsp5/audio_aac.c
index 45f4c78..b058c24 100644
--- a/drivers/staging/dream/qdsp5/audio_aac.c
+++ b/drivers/staging/dream/qdsp5/audio_aac.c
@@ -589,6 +589,7 @@ static long audio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 
 	if (cmd = AUDIO_GET_STATS) {
 		struct msm_audio_stats stats;
+		memset(&stats, 0, sizeof(stats));
 		stats.byte_count = audpp_avsync_byte_count(audio->dec_id);
 		stats.sample_count = audpp_avsync_sample_count(audio->dec_id);
 		if (copy_to_user((void *)arg, &stats, sizeof(stats)))
@@ -664,10 +665,10 @@ static long audio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 			} else {
 				config.channel_count = 2;
 			}
+			config.type = 0;
 			config.unused[0] = 0;
 			config.unused[1] = 0;
 			config.unused[2] = 0;
-			config.unused[3] = 0;
 			if (copy_to_user((void *)arg, &config,
 					 sizeof(config)))
 				rc = -EFAULT;
-- 
1.7.0.4

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Greg KH]

On Fri, Oct 29, 2010 at 12:01:37AM +0400, Vasiliy Kulikov wrote:
> Structure msm_audio_stats is copied to userland with some fields unitialized.
> It leads to leaking of contents of kernel stack memory.
> Also struct msm_audio_config has field "unused" of type array of 3 elements,
> not 4.  Instead of this, initialize field "type".
> 
> Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> ---
>  drivers/staging/dream/qdsp5/audio_aac.c |    3 ++-

{sigh}

I'd really like to just drop this whole driver as I feel it's _way_
behind whatever anyone is really using "in the wild".

Actually, I doubt that anyone even uses this thing, do they?

Any objection to me just dropping the drivers/staging/dream/ tree?
People should be working on the chipset-specific driver tree here
instead, right?

Pavel, it looks like you're not doing any dream work anymore, any
problems with me dropping it?

thanks,

greg k-h

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Pavel Machek]

Hi!

> > Structure msm_audio_stats is copied to userland with some fields unitialized.
> > It leads to leaking of contents of kernel stack memory.
> > Also struct msm_audio_config has field "unused" of type array of 3 elements,
> > not 4.  Instead of this, initialize field "type".
> > 
> > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> > ---
> >  drivers/staging/dream/qdsp5/audio_aac.c |    3 ++-
> 
> {sigh}
> 
> I'd really like to just drop this whole driver as I feel it's _way_
> behind whatever anyone is really using "in the wild".
> 
> Actually, I doubt that anyone even uses this thing, do they?

Not sure, you should definitely talk to codeaurora folks.

> Any objection to me just dropping the drivers/staging/dream/ tree?
> People should be working on the chipset-specific driver tree here
> instead, right?

codeaurora people should know...

> Pavel, it looks like you're not doing any dream work anymore, any
> problems with me dropping it?

Too busy to do any real work on Dream, sorry :-(.
								Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Greg KH]

On Thu, Oct 28, 2010 at 10:58:31PM +0200, Pavel Machek wrote:
> Hi!
> 
> > > Structure msm_audio_stats is copied to userland with some fields unitialized.
> > > It leads to leaking of contents of kernel stack memory.
> > > Also struct msm_audio_config has field "unused" of type array of 3 elements,
> > > not 4.  Instead of this, initialize field "type".
> > > 
> > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> > > ---
> > >  drivers/staging/dream/qdsp5/audio_aac.c |    3 ++-
> > 
> > {sigh}
> > 
> > I'd really like to just drop this whole driver as I feel it's _way_
> > behind whatever anyone is really using "in the wild".
> > 
> > Actually, I doubt that anyone even uses this thing, do they?
> 
> Not sure, you should definitely talk to codeaurora folks.
> 
> > Any objection to me just dropping the drivers/staging/dream/ tree?
> > People should be working on the chipset-specific driver tree here
> > instead, right?
> 
> codeaurora people should know...

Which specific ones?  No one seems to be contributing to the
drivers/staging/dream/ anymore, and there are a number of out-of-tree
dream trees floating around now.

> > Pavel, it looks like you're not doing any dream work anymore, any
> > problems with me dropping it?
> 
> Too busy to do any real work on Dream, sorry :-(.

Ok, I think I'll just drop it unless someone screams.

thanks,

greg k-h

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Bryan Huntsman]

>>> Pavel, it looks like you're not doing any dream work anymore, any
>>> problems with me dropping it?
>>
>> Too busy to do any real work on Dream, sorry :-(.
> 
> Ok, I think I'll just drop it unless someone screams.
> 
> thanks,
> 
> greg k-h

Greg, I'll check around internally and see if there are any concerns about dropping it.  I'll get back to you soon.  Thanks.

- Bryan

-- 
Sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Greg KH]

On Thu, Oct 28, 2010 at 06:32:53PM -0700, Bryan Huntsman wrote:
> >>> Pavel, it looks like you're not doing any dream work anymore, any
> >>> problems with me dropping it?
> >>
> >> Too busy to do any real work on Dream, sorry :-(.
> > 
> > Ok, I think I'll just drop it unless someone screams.
> > 
> > thanks,
> > 
> > greg k-h
> 
> Greg, I'll check around internally and see if there are any concerns
> about dropping it.  I'll get back to you soon.  Thanks.

Wonderful, thanks for doing this.

greg k-h

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Bryan Huntsman]

>> Greg, I'll check around internally and see if there are any concerns
>> about dropping it.  I'll get back to you soon.  Thanks.
> 
> Wonderful, thanks for doing this.
> 
> greg k-h

No concerns from us.  Feel free to drop it.  Thanks.

- Bryan

-- 
Sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.

Re: [PATCH 1/8] staging: dream: fix information leak to userland

[Greg KH]

On Fri, Oct 29, 2010 at 11:27:00AM -0700, Bryan Huntsman wrote:
> 
> >> Greg, I'll check around internally and see if there are any concerns
> >> about dropping it.  I'll get back to you soon.  Thanks.
> > 
> > Wonderful, thanks for doing this.
> > 
> > greg k-h
> 
> No concerns from us.  Feel free to drop it.  Thanks.

Great, will do, thanks for letting me know.

greg k-h