All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory
@ 2010-09-15 21:43 Dan Rosenberg
  2010-09-16 21:06 ` [Security] " Andrew Morton
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Rosenberg @ 2010-09-15 21:43 UTC (permalink / raw)
  To: thomas; +Cc: linux-kernel, security, stable

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user.  This patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>

--- linux-2.6.35.4.orig/drivers/video/sis/sis_main.c	2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/video/sis/sis_main.c	2010-09-15 11:52:41.437375730 -0400
@@ -1701,6 +1701,9 @@ static int	sisfb_ioctl(struct fb_info *i
 		break;
 
 	   case FBIOGET_VBLANK:
+
+		memset(&sisvbblank, 0, sizeof(struct fb_vblank));
+
 		sisvbblank.count = 0;
 		sisvbblank.flags = sisfb_setupvbblankflags(ivideo, &sisvbblank.vcount, &sisvbblank.hcount);
 





^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [Security] [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory
  2010-09-15 21:43 [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory Dan Rosenberg
@ 2010-09-16 21:06 ` Andrew Morton
  0 siblings, 0 replies; 2+ messages in thread
From: Andrew Morton @ 2010-09-16 21:06 UTC (permalink / raw)
  To: Dan Rosenberg; +Cc: thomas, security, linux-kernel, stable

On Wed, 15 Sep 2010 17:43:53 -0400
Dan Rosenberg <drosenberg@vsecurity.com> wrote:

> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
> bytes of uninitialized stack memory, because the "reserved" member of
> the fb_vblank struct declared on the stack is not altered or zeroed
> before being copied back to the user.  This patch takes care of it.
> 
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> 
> --- linux-2.6.35.4.orig/drivers/video/sis/sis_main.c	2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/sis/sis_main.c	2010-09-15 11:52:41.437375730 -0400
> @@ -1701,6 +1701,9 @@ static int	sisfb_ioctl(struct fb_info *i
>  		break;
>  
>  	   case FBIOGET_VBLANK:
> +
> +		memset(&sisvbblank, 0, sizeof(struct fb_vblank));

grumble.  Every one of these patches I need to go in and check that the
types are correct.  In this case, that sisvbblank really does have the
type `struct fb_vblank'.

If the code had done

		memset(&sisvbblank, 0, sizeof(sisvbblank));

then I wouldn't need to do that.


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-16 21:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-15 21:43 [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-16 21:06 ` [Security] " Andrew Morton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.