[PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory
@ 2010-09-11 23:46 Dan Rosenberg
  2010-09-14 19:36 ` Grant Grundler
  2010-09-15 15:42 ` Jeff Mahoney
  0 siblings, 2 replies; 3+ messages in thread
From: Dan Rosenberg @ 2010-09-11 23:46 UTC (permalink / raw)
  To: grundler, kyle; +Cc: linux-kernel, security

The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
bytes of uninitialized stack memory, because it copies the
uninitialized "addr" member instead of the intended "lval" member.
This patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>

--- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c	2010-09-11
19:12:27.000000000 -0400
+++ linux-2.6.35.4/drivers/net/tulip/de4x5.c	2010-09-11 19:17:12.000000000 -0400
@@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
 	tmp.lval[6] = inl(DE4X5_STRR); j+=4;
 	tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
 	ioc->len = j;
-	if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
+	if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
 	break;

 #define DE4X5_DUMP              0x0f /* Dump the DE4X5 Status */

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory
  2010-09-11 23:46 [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory Dan Rosenberg
@ 2010-09-14 19:36 ` Grant Grundler
  2010-09-15 15:42 ` Jeff Mahoney
  1 sibling, 0 replies; 3+ messages in thread
From: Grant Grundler @ 2010-09-14 19:36 UTC (permalink / raw)
  To: Dan Rosenberg, David Miller; +Cc: grundler, kyle, linux-kernel, security

On Sat, Sep 11, 2010 at 07:46:38PM -0400, Dan Rosenberg wrote:
> The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
> bytes of uninitialized stack memory, because it copies the
> uninitialized "addr" member instead of the intended "lval" member.
> This patch takes care of it.

Dan, Good catch.

Dave, please apply.

> 
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>

Acked-by: Grant Grundler <grundler@parisc-linux.org>

thanks,
grant

> 
> --- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c	2010-09-11
> 19:12:27.000000000 -0400
> +++ linux-2.6.35.4/drivers/net/tulip/de4x5.c	2010-09-11 19:17:12.000000000 -0400
> @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
>  	tmp.lval[6] = inl(DE4X5_STRR); j+=4;
>  	tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
>  	ioc->len = j;
> -	if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
> +	if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
>  	break;
> 
>  #define DE4X5_DUMP              0x0f /* Dump the DE4X5 Status */

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory
  2010-09-11 23:46 [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory Dan Rosenberg
  2010-09-14 19:36 ` Grant Grundler
@ 2010-09-15 15:42 ` Jeff Mahoney
  1 sibling, 0 replies; 3+ messages in thread
From: Jeff Mahoney @ 2010-09-15 15:42 UTC (permalink / raw)
  To: Dan Rosenberg; +Cc: grundler, kyle, linux-kernel, security

On 09/11/2010 07:46 PM, Dan Rosenberg wrote:
> The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
> bytes of uninitialized stack memory, because it copies the
> uninitialized "addr" member instead of the intended "lval" member.
> This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>

No. This patch may be considered for correctness, but there's no 
security issue here.

'tmp' is a union, not a struct. Writes to lval are the same as writes to 
addr. The length is correctly determined so that only initialized memory 
is used.

-Jeff

> --- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c	2010-09-11
> 19:12:27.000000000 -0400
> +++ linux-2.6.35.4/drivers/net/tulip/de4x5.c	2010-09-11 19:17:12.000000000 -0400
> @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
>   	tmp.lval[6] = inl(DE4X5_STRR); j+=4;
>   	tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
>   	ioc->len = j;
> -	if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
> +	if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
>   	break;
>
>   #define DE4X5_DUMP              0x0f /* Dump the DE4X5 Status */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


-- 
Jeff Mahoney
SUSE Labs

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-09-15 15:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-11 23:46 [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-14 19:36 ` Grant Grundler
2010-09-15 15:42 ` Jeff Mahoney

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).