On Mon, 2018-06-25 at 20:16 +0200, Jann Horn wrote: > On Mon, Jun 25, 2018 at 6:41 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > > > On Mon, Jun 25, 2018 at 06:34:10PM +0200, Jann Horn wrote: > > > > > + char tmp[32]; > > > > > > - if (namelen > 32) > > > + if (namelen < 0 || namelen > 32) > > > namelen = 32; > > > > > > down_read(&uts_sem); > > > kname = utsname()->domainname; > > > len = strnlen(kname, namelen); > > > - if (copy_to_user(name, kname, min(len + 1, namelen))) > > > - err = -EFAULT; > > > + len = min(len + 1, namelen); > > > + memcpy(tmp, kname, len); > > > up_read(&uts_sem); > > > > > > - return err; > > > + if (copy_to_user(name, tmp, len)) > > > + return -EFAULT; > > > > Infoleak, and similar in a lot of other places. > > I don't see a problem. copy_to_user() copies "len" bytes from "tmp". [...] > Can you please explain why there is an infoleak here? I think you're *fixing* information leaks in the Alpha syscalls, because a negative value of namelen used to result in a huge length argument to copy_to_user(). Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
Attachment:
signature.asc
Description: This is a digitally signed message part
