From: Russell King <rmk+lkml@arm.linux.org.uk>
To: Christoph Hellwig <hch@infradead.org>,
Alessandro Zummo <alessandro.zummo@towertech.it>,
linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH 1/6] RTC subsystem, class
Date: Tue, 20 Dec 2005 21:30:13 +0000 [thread overview]
Message-ID: <20051220213013.GB31364@flint.arm.linux.org.uk> (raw)
In-Reply-To: <20051220211344.GA14403@infradead.org>
On Tue, Dec 20, 2005 at 09:13:45PM +0000, Christoph Hellwig wrote:
> > +int rtc_read_time(struct class_device *class_dev, struct rtc_time *tm)
> > +{
> > + int err = -EINVAL;
> > + struct rtc_class_ops *ops = class_get_devdata(class_dev);
> > +
> > + if (ops->read_time) {
> > + memset(tm, 0, sizeof(struct rtc_time));
>
> do we really need the memset?
Absolutely yes, otherwise if 'tm' is on the stack and it ultimately
gets copied to userspace, it will leak kernel memory. Why?
Unfortunately, not all elements of 'tm' are written to by RTC
drivers.
You can argue that the RTC drivers need fixing, but since this bug
has gone completely unnoticed in _all_ kernels which have an RTC
driver up until I discovered it and reported it to vendor-sec
during the 2.5 cycle, I think a little bit of cheap protection
against buggy drivers when security leaks are concerned is not
unreasonable. Especially when they don't get found in the normal
run of things.
(you could make a case for eliminating it _if_ there was a RTC
subsystem maintainer who knew the code and therefore knew what
to look out for.)
--
Russell King
Linux kernel 2.6 ARM Linux - http://www.arm.linux.org.uk/
maintainer of: 2.6 Serial core
next prev parent reply other threads:[~2005-12-20 21:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-20 20:45 [RFC][PATCH 1/6] RTC subsystem, class Alessandro Zummo
2005-12-20 21:13 ` Christoph Hellwig
2005-12-20 21:23 ` Alessandro Zummo
2005-12-21 1:50 ` Mitchell Blank Jr
2005-12-21 9:30 ` Alessandro Zummo
2005-12-20 21:30 ` Russell King [this message]
2005-12-21 2:01 ` Dmitry Torokhov
2005-12-21 9:50 ` Alessandro Zummo
2005-12-21 19:43 ` Dmitry Torokhov
2005-12-21 23:10 ` Alessandro Zummo
2005-12-22 13:35 ` Pavel Machek
2005-12-26 2:47 ` Alessandro Zummo
2005-12-26 20:16 ` Pavel Machek
2005-12-27 3:16 ` Alessandro Zummo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051220213013.GB31364@flint.arm.linux.org.uk \
--to=rmk+lkml@arm.linux.org.uk \
--cc=alessandro.zummo@towertech.it \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).