* [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory
@ 2010-09-15 21:43 Dan Rosenberg
2010-09-16 21:06 ` [Security] " Andrew Morton
0 siblings, 1 reply; 2+ messages in thread
From: Dan Rosenberg @ 2010-09-15 21:43 UTC (permalink / raw)
To: thomas; +Cc: linux-kernel, security, stable
The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user. This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
--- linux-2.6.35.4.orig/drivers/video/sis/sis_main.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/video/sis/sis_main.c 2010-09-15 11:52:41.437375730 -0400
@@ -1701,6 +1701,9 @@ static int sisfb_ioctl(struct fb_info *i
break;
case FBIOGET_VBLANK:
+
+ memset(&sisvbblank, 0, sizeof(struct fb_vblank));
+
sisvbblank.count = 0;
sisvbblank.flags = sisfb_setupvbblankflags(ivideo, &sisvbblank.vcount, &sisvbblank.hcount);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Security] [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory
2010-09-15 21:43 [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory Dan Rosenberg
@ 2010-09-16 21:06 ` Andrew Morton
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Morton @ 2010-09-16 21:06 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: thomas, security, linux-kernel, stable
On Wed, 15 Sep 2010 17:43:53 -0400
Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
> bytes of uninitialized stack memory, because the "reserved" member of
> the fb_vblank struct declared on the stack is not altered or zeroed
> before being copied back to the user. This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
>
> --- linux-2.6.35.4.orig/drivers/video/sis/sis_main.c 2010-08-26 19:47:12.000000000 -0400
> +++ linux-2.6.35.4/drivers/video/sis/sis_main.c 2010-09-15 11:52:41.437375730 -0400
> @@ -1701,6 +1701,9 @@ static int sisfb_ioctl(struct fb_info *i
> break;
>
> case FBIOGET_VBLANK:
> +
> + memset(&sisvbblank, 0, sizeof(struct fb_vblank));
grumble. Every one of these patches I need to go in and check that the
types are correct. In this case, that sisvbblank really does have the
type `struct fb_vblank'.
If the code had done
memset(&sisvbblank, 0, sizeof(sisvbblank));
then I wouldn't need to do that.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-16 21:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-15 21:43 [PATCH] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-16 21:06 ` [Security] " Andrew Morton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.