* [patch] cciss: info leak in cciss_ioctl32_passthru()
@ 2013-06-03 9:26 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2013-06-03 9:26 UTC (permalink / raw)
To: Mike Miller; +Cc: iss_storagedev, linux-kernel, kernel-janitors
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [patch] cciss: info leak in cciss_ioctl32_passthru()
@ 2013-06-03 9:26 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2013-06-03 9:26 UTC (permalink / raw)
To: Mike Miller; +Cc: iss_storagedev, linux-kernel, kernel-janitors
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
2013-06-03 9:26 ` Dan Carpenter
@ 2013-09-11 7:38 ` Dan Carpenter
-1 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2013-09-11 7:38 UTC (permalink / raw)
To: Mike Miller, Andrew Morton
Cc: iss_storagedev, linux-kernel, kernel-janitors, Moritz Muehlenhoff
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
@ 2013-09-11 7:38 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2013-09-11 7:38 UTC (permalink / raw)
To: Mike Miller, Andrew Morton
Cc: iss_storagedev, linux-kernel, kernel-janitors, Moritz Muehlenhoff
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply related [flat|nested] 9+ messages in thread
* RE: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
2013-09-11 7:38 ` Dan Carpenter
@ 2013-09-11 18:13 ` Miller, Mike (OS Dev)
-1 siblings, 0 replies; 9+ messages in thread
From: Miller, Mike (OS Dev) @ 2013-09-11 18:13 UTC (permalink / raw)
To: Dan Carpenter, Andrew Morton
Cc: ISS StorageDev, linux-kernel, kernel-janitors, Moritz Muehlenhoff
-----Original Message-----
From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
Sent: Wednesday, September 11, 2013 2:39 AM
To: Miller, Mike (OS Dev); Andrew Morton
Cc: ISS StorageDev; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org; Moritz Muehlenhoff
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mike Miller <mike.miller@hp.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
@ 2013-09-11 18:13 ` Miller, Mike (OS Dev)
0 siblings, 0 replies; 9+ messages in thread
From: Miller, Mike (OS Dev) @ 2013-09-11 18:13 UTC (permalink / raw)
To: Dan Carpenter, Andrew Morton
Cc: ISS StorageDev, linux-kernel, kernel-janitors, Moritz Muehlenhoff
-----Original Message-----
From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
Sent: Wednesday, September 11, 2013 2:39 AM
To: Miller, Mike (OS Dev); Andrew Morton
Cc: ISS StorageDev; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org; Moritz Muehlenhoff
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mike Miller <mike.miller@hp.com>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [patch] cciss: info leak in cciss_ioctl32_passthru()
2013-06-04 11:16 ` Dan Carpenter
@ 2013-06-04 11:48 ` P J P
0 siblings, 0 replies; 9+ messages in thread
From: P J P @ 2013-06-04 11:48 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-kernel, Petr Matousek, Vasily Kulikov
| No no. Vasily patched cciss_ioctl32_big_passthru() and this patch
| changes cciss_ioctl32_passthru().
Oops, yeah, I missed the `big' part!
Thanks.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [patch] cciss: info leak in cciss_ioctl32_passthru()
2013-06-04 10:39 [patch] " P J P
@ 2013-06-04 11:16 ` Dan Carpenter
2013-06-04 11:48 ` P J P
0 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2013-06-04 11:16 UTC (permalink / raw)
To: P J P; +Cc: linux-kernel, Petr Matousek, Vasily Kulikov
On Tue, Jun 04, 2013 at 04:09:10PM +0530, P J P wrote:
> Hello Dan,
> ===
> diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
> index 6374dc1..34971aa 100644
> --- a/drivers/block/cciss.c
> +++ b/drivers/block/cciss.c
> @@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct
> block_device *bdev, fmode_t mode,
> int err;
> u32 cp;
>
> + memset(&arg64, 0, sizeof(arg64));
> ...
> ===
>
> This exact same patch was included back in 2010 by Mr Vasiliy Kulikov.
>
> -> https://git.kernel.org/linus/7ab5118d7c2be650bc936894f159dc1c597badae
>
> But there is no entry/log of its reversal. Any idea why was it removed?
No no. Vasily patched cciss_ioctl32_big_passthru() and this patch
changes cciss_ioctl32_passthru().
regards,
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [patch] cciss: info leak in cciss_ioctl32_passthru()
@ 2013-06-04 10:39 P J P
2013-06-04 11:16 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: P J P @ 2013-06-04 10:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Dan Carpenter, Petr Matousek
Hello Dan,
===
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device
*bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
...
===
This exact same patch was included back in 2010 by Mr Vasiliy Kulikov.
-> https://git.kernel.org/linus/7ab5118d7c2be650bc936894f159dc1c597badae
But there is no entry/log of its reversal. Any idea why was it removed?
Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-09-11 18:14 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-03 9:26 [patch] cciss: info leak in cciss_ioctl32_passthru() Dan Carpenter
2013-06-03 9:26 ` Dan Carpenter
2013-09-11 7:38 ` [patch -resend] " Dan Carpenter
2013-09-11 7:38 ` Dan Carpenter
2013-09-11 18:13 ` Miller, Mike (OS Dev)
2013-09-11 18:13 ` Miller, Mike (OS Dev)
2013-06-04 10:39 [patch] " P J P
2013-06-04 11:16 ` Dan Carpenter
2013-06-04 11:48 ` P J P
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.