* [patch] cciss: info leak in cciss_ioctl32_passthru()
@ 2013-06-03 9:26 Dan Carpenter
2013-09-11 7:38 ` [patch -resend] " Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2013-06-03 9:26 UTC (permalink / raw)
To: Mike Miller; +Cc: iss_storagedev, linux-kernel, kernel-janitors
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
2013-06-03 9:26 [patch] cciss: info leak in cciss_ioctl32_passthru() Dan Carpenter
@ 2013-09-11 7:38 ` Dan Carpenter
2013-09-11 18:13 ` Miller, Mike (OS Dev)
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2013-09-11 7:38 UTC (permalink / raw)
To: Mike Miller, Andrew Morton
Cc: iss_storagedev, linux-kernel, kernel-janitors, Moritz Muehlenhoff
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
2013-09-11 7:38 ` [patch -resend] " Dan Carpenter
@ 2013-09-11 18:13 ` Miller, Mike (OS Dev)
0 siblings, 0 replies; 3+ messages in thread
From: Miller, Mike (OS Dev) @ 2013-09-11 18:13 UTC (permalink / raw)
To: Dan Carpenter, Andrew Morton
Cc: ISS StorageDev, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org, Moritz Muehlenhoff
-----Original Message-----
From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
Sent: Wednesday, September 11, 2013 2:39 AM
To: Miller, Mike (OS Dev); Andrew Morton
Cc: ISS StorageDev; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org; Moritz Muehlenhoff
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mike Miller <mike.miller@hp.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-09-11 18:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-03 9:26 [patch] cciss: info leak in cciss_ioctl32_passthru() Dan Carpenter
2013-09-11 7:38 ` [patch -resend] " Dan Carpenter
2013-09-11 18:13 ` Miller, Mike (OS Dev)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).