From: Dan Carpenter <dan.carpenter@oracle.com>
To: Maximilian Luz <luzmaximilian@gmail.com>
Cc: Hans de Goede <hdegoede@redhat.com>,
Mark Gross <mgross@linux.intel.com>,
platform-driver-x86@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request()
Date: Wed, 13 Jan 2021 08:16:21 +0000 [thread overview]
Message-ID: <X/6sVaewHLPzv00U@mwanda> (raw)
If copy_struct_from_user() fails at the start of the function then this
function calls put_user(rsp.length, &r->response.length) before
"rsp.length" is set to zero. That is a potential security issue because
it discloses kernel stack data to user space.
Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/platform/surface/surface_aggregator_cdev.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
index 340d15b148b9..05e9eb118d76 100644
--- a/drivers/platform/surface/surface_aggregator_cdev.c
+++ b/drivers/platform/surface/surface_aggregator_cdev.c
@@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
struct ssam_cdev_request __user *r;
struct ssam_cdev_request rqst;
struct ssam_request spec;
- struct ssam_response rsp;
+ struct ssam_response rsp = {};
const void __user *plddata;
void __user *rspdata;
int status = 0, ret = 0, tmp;
@@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
spec.flags |= SSAM_REQUEST_UNSEQUENCED;
rsp.capacity = rqst.response.length;
- rsp.length = 0;
- rsp.pointer = NULL;
/* Get request payload from user-space. */
if (spec.length) {
--
2.29.2
next reply other threads:[~2021-01-13 8:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 8:16 Dan Carpenter [this message]
2021-01-13 9:29 ` [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request() Hans de Goede
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X/6sVaewHLPzv00U@mwanda \
--to=dan.carpenter@oracle.com \
--cc=hdegoede@redhat.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=luzmaximilian@gmail.com \
--cc=mgross@linux.intel.com \
--cc=platform-driver-x86@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox