| commit | 6f3fc70b17939b2b3786198d6d5f30c2066516c9 | |
| author | Stefan Richter <stefanr@s5r6.in-berlin.de> | |
| Wed, 7 Apr 2010 06:30:50 +0000 (7 08:30 +0200) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Thu, 9 Dec 2010 21:26:48 +0000 (9 13:26 -0800) | ||
| tree | a7881aad79df80d66437b639158b60c6e8fcb409 | treesnapshot (tar.gz zip) |
| parent | fda45f0be5c9d1671b6bc5b35b6143360f2b10bd | commitdiff |
firewire: cdev: fix information leak
commit 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c upstream.
A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).
Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls. This way, there is almost no runtime penalty to legitimate
ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.
[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number. However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]
Reported-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[ Backported to 2.6.32 firewire core -maks ]
Signed-off-by: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c upstream.
A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).
Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls. This way, there is almost no runtime penalty to legitimate
ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.
[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number. However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]
Reported-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[ Backported to 2.6.32 firewire core -maks ]
Signed-off-by: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| drivers/firewire/core-cdev.c | diffblobblamehistory |