* [patch] Input: potential info leak in uiput_ff_upload_to_user()
@ 2011-09-23 6:22 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 6:22 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Henrik Rydberg, Ping Cheng, Peter Hutterer, Aristeu Rozanski,
linux-input, kernel-janitors
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The issue here is that struct uinput_ff_upload_compat has a hole in
it.
struct uinput_ff_upload_compat {
int request_id; /* 0 4 */
int retval; /* 4 4 */
struct ff_effect_compat effect; /* 8 0 */
/* XXX 44 bytes hole, try to pack */
struct ff_effect_compat old; /* 52 0 */
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 7360568..40e2ba4 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -528,6 +528,8 @@ static int uinput_ff_upload_to_user(char __user *buffer,
if (INPUT_COMPAT_TEST) {
struct uinput_ff_upload_compat ff_up_compat;
+ memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+
ff_up_compat.request_id = ff_up->request_id;
ff_up_compat.retval = ff_up->retval;
/*
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [patch] Input: potential info leak in uiput_ff_upload_to_user()
@ 2011-09-23 6:22 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 6:22 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Henrik Rydberg, Ping Cheng, Peter Hutterer, Aristeu Rozanski,
linux-input, kernel-janitors
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The issue here is that struct uinput_ff_upload_compat has a hole in
it.
struct uinput_ff_upload_compat {
int request_id; /* 0 4 */
int retval; /* 4 4 */
struct ff_effect_compat effect; /* 8 0 */
/* XXX 44 bytes hole, try to pack */
struct ff_effect_compat old; /* 52 0 */
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 7360568..40e2ba4 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -528,6 +528,8 @@ static int uinput_ff_upload_to_user(char __user *buffer,
if (INPUT_COMPAT_TEST) {
struct uinput_ff_upload_compat ff_up_compat;
+ memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+
ff_up_compat.request_id = ff_up->request_id;
ff_up_compat.retval = ff_up->retval;
/*
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in uiput_ff_upload_to_user()
2011-09-23 6:22 ` Dan Carpenter
@ 2011-09-23 7:30 ` Dmitry Torokhov
-1 siblings, 0 replies; 6+ messages in thread
From: Dmitry Torokhov @ 2011-09-23 7:30 UTC (permalink / raw)
To: Dan Carpenter
Cc: Henrik Rydberg, Ping Cheng, Peter Hutterer, Aristeu Rozanski,
linux-input, kernel-janitors
On Fri, Sep 23, 2011 at 09:22:40AM +0300, Dan Carpenter wrote:
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
>
> The issue here is that struct uinput_ff_upload_compat has a hole in
> it.
>
> struct uinput_ff_upload_compat {
> int request_id; /* 0 4 */
> int retval; /* 4 4 */
> struct ff_effect_compat effect; /* 8 0 */
>
> /* XXX 44 bytes hole, try to pack */
>
> struct ff_effect_compat old; /* 52 0 */
44 bytes... doubtful...
Thanks.
--
Dmitry
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in uiput_ff_upload_to_user()
@ 2011-09-23 7:30 ` Dmitry Torokhov
0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Torokhov @ 2011-09-23 7:30 UTC (permalink / raw)
To: Dan Carpenter
Cc: Henrik Rydberg, Ping Cheng, Peter Hutterer, Aristeu Rozanski,
linux-input, kernel-janitors
On Fri, Sep 23, 2011 at 09:22:40AM +0300, Dan Carpenter wrote:
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
>
> The issue here is that struct uinput_ff_upload_compat has a hole in
> it.
>
> struct uinput_ff_upload_compat {
> int request_id; /* 0 4 */
> int retval; /* 4 4 */
> struct ff_effect_compat effect; /* 8 0 */
>
> /* XXX 44 bytes hole, try to pack */
>
> struct ff_effect_compat old; /* 52 0 */
44 bytes... doubtful...
Thanks.
--
Dmitry
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in uiput_ff_upload_to_user()
2011-09-23 6:22 ` Dan Carpenter
@ 2011-09-23 7:31 ` Dan Carpenter
-1 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 7:31 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Henrik Rydberg, Ping Cheng, Peter Hutterer, Aristeu Rozanski,
linux-input, kernel-janitors
This one is wrong as well. I suck. :/
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in uiput_ff_upload_to_user()
@ 2011-09-23 7:31 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 7:31 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Henrik Rydberg, Ping Cheng, Peter Hutterer, Aristeu Rozanski,
linux-input, kernel-janitors
This one is wrong as well. I suck. :/
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-09-23 7:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-23 6:22 [patch] Input: potential info leak in uiput_ff_upload_to_user() Dan Carpenter
2011-09-23 6:22 ` Dan Carpenter
2011-09-23 7:30 ` Dmitry Torokhov
2011-09-23 7:30 ` Dmitry Torokhov
2011-09-23 7:31 ` Dan Carpenter
2011-09-23 7:31 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.