* [patch] [media] bt8xx: info leak in ca_get_slot_info()
@ 2013-07-25 16:46 Dan Carpenter
2013-07-25 17:29 ` walter harms
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2013-07-25 16:46 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Antti Palosaari, Nickolai Zeldovich, Peter Senna Tschudin,
Andy Shevchenko, linux-media, kernel-janitors
p_ca_slot_info was allocated with kmalloc() so we need to clear it
before passing it to the user.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
index 0e788fc..6b9dc3f 100644
--- a/drivers/media/pci/bt8xx/dst_ca.c
+++ b/drivers/media/pci/bt8xx/dst_ca.c
@@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s
p_ca_slot_info->flags = CA_CI_MODULE_READY;
p_ca_slot_info->num = 1;
p_ca_slot_info->type = CA_CI;
- } else
+ } else {
p_ca_slot_info->flags = 0;
+ p_ca_slot_info->num = 0;
+ p_ca_slot_info->type = 0;
+ }
if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info)))
return -EFAULT;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()
2013-07-25 16:46 [patch] [media] bt8xx: info leak in ca_get_slot_info() Dan Carpenter
@ 2013-07-25 17:29 ` walter harms
2013-07-25 17:38 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: walter harms @ 2013-07-25 17:29 UTC (permalink / raw)
To: Dan Carpenter
Cc: Mauro Carvalho Chehab, Antti Palosaari, Nickolai Zeldovich,
Peter Senna Tschudin, Andy Shevchenko, linux-media,
kernel-janitors
Am 25.07.2013 18:46, schrieb Dan Carpenter:
> p_ca_slot_info was allocated with kmalloc() so we need to clear it
> before passing it to the user.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
> index 0e788fc..6b9dc3f 100644
> --- a/drivers/media/pci/bt8xx/dst_ca.c
> +++ b/drivers/media/pci/bt8xx/dst_ca.c
> @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s
> p_ca_slot_info->flags = CA_CI_MODULE_READY;
> p_ca_slot_info->num = 1;
> p_ca_slot_info->type = CA_CI;
> - } else
> + } else {
> p_ca_slot_info->flags = 0;
> + p_ca_slot_info->num = 0;
> + p_ca_slot_info->type = 0;
> + }
>
> if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info)))
> return -EFAULT;
note: i have no clue how p_ca_slot_info looks like,
but to avoid information leaks via compiler padding etc. i could be more wise
to do a memset(p_ca_slot_info,0,sizeof (struct ca_slot_info))
and then set the
p_ca_slot_info->flags = CA_CI_MODULE_READY;
p_ca_slot_info->num = 1;
p_ca_slot_info->type = CA_CI;
just my 2 cents,
re,
wh
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()
2013-07-25 17:29 ` walter harms
@ 2013-07-25 17:38 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2013-07-25 17:38 UTC (permalink / raw)
To: walter harms
Cc: Mauro Carvalho Chehab, Antti Palosaari, Nickolai Zeldovich,
Peter Senna Tschudin, Andy Shevchenko, linux-media,
kernel-janitors
On Thu, Jul 25, 2013 at 07:29:09PM +0200, walter harms wrote:
>
>
> Am 25.07.2013 18:46, schrieb Dan Carpenter:
> > p_ca_slot_info was allocated with kmalloc() so we need to clear it
> > before passing it to the user.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
> > index 0e788fc..6b9dc3f 100644
> > --- a/drivers/media/pci/bt8xx/dst_ca.c
> > +++ b/drivers/media/pci/bt8xx/dst_ca.c
> > @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s
> > p_ca_slot_info->flags = CA_CI_MODULE_READY;
> > p_ca_slot_info->num = 1;
> > p_ca_slot_info->type = CA_CI;
> > - } else
> > + } else {
> > p_ca_slot_info->flags = 0;
> > + p_ca_slot_info->num = 0;
> > + p_ca_slot_info->type = 0;
> > + }
> >
> > if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info)))
> > return -EFAULT;
>
> note: i have no clue how p_ca_slot_info looks like,
> but to avoid information leaks via compiler padding etc. i could be more wise
> to do a memset(p_ca_slot_info,0,sizeof (struct ca_slot_info))
> and then set the
There is no compiler padding. My static checker looks for that.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-07-25 17:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-25 16:46 [patch] [media] bt8xx: info leak in ca_get_slot_info() Dan Carpenter
2013-07-25 17:29 ` walter harms
2013-07-25 17:38 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).