* [PATCH v2] drivers/video/via/ioctl.c: prevent reading
@ 2010-09-15 23:08 Dan Rosenberg
2010-09-15 23:45 ` [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized Florian Tobias Schandinat
0 siblings, 1 reply; 2+ messages in thread
From: Dan Rosenberg @ 2010-09-15 23:08 UTC (permalink / raw)
To: JosephChan, ScottFang, FlorianSchandinat
Cc: linux-fbdev, linux-kernel, security, stable
Disregard previous version, which had a typo and wouldn't compile.
Also, math is fun: the ioctl allows reading of 1968 BITS = 246 bytes,
not 1968 bytes as previously reported.
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user. This patch takes care of
it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
--- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
{
struct viafb_ioctl_info viainfo;
+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
+
viainfo.viafb_id = VIAID;
viainfo.vendor_id = PCI_VIA_VENDOR_ID;
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized
2010-09-15 23:08 [PATCH v2] drivers/video/via/ioctl.c: prevent reading Dan Rosenberg
@ 2010-09-15 23:45 ` Florian Tobias Schandinat
0 siblings, 0 replies; 2+ messages in thread
From: Florian Tobias Schandinat @ 2010-09-15 23:45 UTC (permalink / raw)
To: Dan Rosenberg
Cc: JosephChan, ScottFang, linux-fbdev, linux-kernel, security,
stable
Dan Rosenberg schrieb:
> Disregard previous version, which had a typo and wouldn't compile.
> Also, math is fun: the ioctl allows reading of 1968 BITS = 246 bytes,
> not 1968 bytes as previously reported.
Thanks, I will take care of getting it in mainline as soon as possible,
Florian Tobias Schandinat
>
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user. This patch takes care of
> it.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar
> {
> struct viafb_ioctl_info viainfo;
>
> + memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
> +
> viainfo.viafb_id = VIAID;
> viainfo.vendor_id = PCI_VIA_VENDOR_ID;
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-15 23:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-15 23:08 [PATCH v2] drivers/video/via/ioctl.c: prevent reading Dan Rosenberg
2010-09-15 23:45 ` [PATCH v2] drivers/video/via/ioctl.c: prevent reading uninitialized Florian Tobias Schandinat
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).